diff --git a/clusters/android.json b/clusters/android.json index 4392f4b..f5bc8e1 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -1,3781 +1,4195 @@ { - "values": [ - { - "value": "CopyCat", - "description": "CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote – a daemon responsible for launching apps in the Android operating system – that allows the malware to control any activity on the device.", - "meta": { - "refs": [ - "https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/" - ] - } - }, - { - "value": "Andr/Dropr-FH", - "description": "Andr/Dropr-FH can silently record audio and video, monitor texts and calls, modify files, and ultimately spawn ransomware.", - "meta": { - "refs": [ - "https://nakedsecurity.sophos.com/2017/07/21/watch-out-for-the-android-malware-that-snoops-on-your-phone/", - "https://www.neowin.net/news/the-ghostctrl-android-malware-can-silently-record-your-audio-and-steal-sensitive-data" - ], - "synonyms": [ - "GhostCtrl" - ] - } - }, - { - "value": "Judy", - "description": "The malware, dubbed Judy, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.", - "meta": { - "refs": [ - "http://fortune.com/2017/05/28/android-malware-judy/", - "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" - ] - } - }, - { - "value": "RedAlert2", - "description": "The trojan waits in hiding until the user opens a banking or social media app. When this happens, the trojan shows an HTML-based overlay on top of the original app, alerting the user of an error, and asking to reauthenticate. Red Alert then collects the user's credentials and sends them to its C&C server.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/" - ] - } - }, - { - "value": "Tizi", - "description": "Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.", - "meta": { - "refs": [ - "https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html" - ] - } - }, - { - "value": "DoubleLocker", - "description": "DoubleLocker can change the device’s PIN, preventing victims from accessing their devices, and also encrypts the data requesting a ransom. It will misuse accessibility services after being installed by impersonating the Adobe Flash player - similar to BankBot.", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" - ] - } - }, - { - "value": "Svpeng", - "description": "Svpeng is a Banking trojan which acts as a keylogger. If the Android device is not Russian, Svpeng will ask for permission to use accessibility services. In abusing this service it will gain administrator rights allowing it to draw over other apps, send and receive SMS and take screenshots when keys are pressed. ", - "meta": { - "refs": [ - "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/", - "https://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/" - ], - "synonyms": [ - "Invisble Man" - ] - } - }, - { - "value": "LokiBot", - "description": "LokiBot is a banking trojan for Android 4.0 and higher. It can steal the information and send SMS messages. It has the ability to start web browsers, and banking applications, along with showing notifications impersonating other apps. Upon attempt to remove it will encrypt the devices' external storage requiring Bitcoins to decrypt files.", - "meta": { - "refs": [ - "https://clientsidedetection.com/lokibot___the_first_hybrid_android_malware.html" - ] - } - }, - { - "value": "BankBot", - "description": "The main goal of this malware is to steal banking credentials from the victim’s device. It usually impersonates flash player updaters, android system tools, or other legitimate applications.", - "meta": { - "refs": [ - "https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot", - "https://forensics.spreitzenbarth.de/android-malware/", - "https://blog.avast.com/mobile-banking-trojan-sneaks-into-google-play-targeting-wells-fargo-chase-and-citibank-customers" - ] - } - }, - { - "value": "Viking Horde", - "description": "In rooted devices, Viking Horde installs software and executes code remotely to get access to the mobile data.", - "meta": { - "refs": [ - "http://www.alwayson-network.com/worst-types-android-malware-2016/" - ] - } - }, - { - "value": "HummingBad", - "description": "A Chinese advertising company has developed this malware. The malware has the power to take control of devices; it forces users to click advertisements and download apps. The malware uses a multistage attack chain.", - "meta": { - "refs": [ - "http://www.alwayson-network.com/worst-types-android-malware-2016/", - "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" - ] - } - }, - { - "value": "Ackposts", - "description": "Ackposts is a Trojan horse for Android devices that steals the Contacts information from the compromised device and sends it to a predetermined location.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-072302-3943-99" - ] - } - }, - { - "value": "Wirex", - "description": "Wirex is a Trojan horse for Android devices that opens a backdoor on the compromised device which then joins a botnet for conducting click fraud.", - "meta": { - "refs": [ - "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/", - "http://www.zdnet.com/article/wirex-ddos-malware-given-udp-flood-capabilities/" - ] - } - }, - { - "value": "WannaLocker", - "description": "WannaLocker is a strain of ransomware for Android devices that encrypts files on the device's external storage and demands a payment to decrypt them.", - "meta": { - "refs": [ - "https://fossbytes.com/wannalocker-ransomware-wannacry-android/" - ] - } - }, - { - "value": "Switcher", - "description": "Switcher is a Trojan horse for Android devices that modifies Wi-Fi router DNS settings. Swticher attempts to infiltrate a router's admin interface on the devices' WIFI network by using brute force techniques. If the attack succeeds, Switcher alters the DNS settings of the router, making it possible to reroute DNS queries to a network controlled by the malicious actors.", - "meta": { - "refs": [ - "http://www.zdnet.com/article/this-android-infecting-trojan-malware-uses-your-phone-to-attack-your-router/", - "https://www.theregister.co.uk/2017/01/03/android_trojan_targets_routers/", - "https://www.symantec.com/security_response/writeup.jsp?docid=2017-090410-0547-99" - ] - } - }, - { - "value": "Vibleaker", - "description": "Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user's phone for the Viber app, and then steal photos and videos recorded or sent through the app.", - "meta": { - "refs": [ - "http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-videos-505758.shtml" - ] - } - }, - { - "value": "ExpensiveWall", - "description": "ExpensiveWall is Android malware that sends fraudulent premium SMS messages and charges users accounts for fake services without their knowledge", - "meta": { - "refs": [ - "https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/", - "http://fortune.com/2017/09/14/google-play-android-malware/" - ] - } - }, - { - "value": "Cepsohord", - "description": "Cepsohord is a Trojan horse for Android devices that uses compromised devices to commit click fraud, modify DNS settings, randomly delete essential files, and download additional malware such as ransomware.", - "meta": { - "refs": [ - "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/cepsohord" - ] - } - }, - { - "value": "Fakem Rat", - "description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages).", - "meta": { - "refs": [ - "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf", - "https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99" - ] - } - }, - { - "value": "GM Bot", - "description": "GM Bot – also known as Acecard, SlemBunk, or Bankosy – scams people into giving up their banking log-in credentials and other personal data by displaying overlays that look nearly identical to banking apps log-in pages. Subsequently, the malware intercepts SMS to obtain two-factor authentication PINs, giving cybercriminals full access to bank accounts.", - "meta": { - "refs": [ - "https://blog.avast.com/android-trojan-gm-bot-is-evolving-and-targeting-more-than-50-banks-worldwide" - ], - "synonyms": [ - "Acecard", - "SlemBunk", - "Bankosy" - ] - } - }, - { - "value": "Moplus", - "description": "The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the user’s device, and this connection is established in the background without the user’s knowledge.", - "meta": { - "refs": [ - "http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html" - ] - } - }, - { - "value": "Adwind", - "description": "Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. According to the author, the backdoor component can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.", - "meta": { - "refs": [ - "https://securelist.com/adwind-faq/73660/" - ], - "synonyms": [ - "AlienSpy", - "Frutas", - "Unrecom", - "Sockrat", - "Jsocket", - "jRat", - "Backdoor:Java/Adwind" - ] - } - }, - { - "value": "AdSms", - "description": "Adsms is a Trojan horse that may send SMS messages from Android devices.", - "meta": { - "refs": [ - "https://www.fortiguard.com/encyclopedia/virus/7389670", - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-051313-4039-99" - ] - } - }, - { - "value": "Airpush", - "description": "Airpush is a very aggresive Ad - Network", - "meta": { - "refs": [ - "https://crypto.stanford.edu/cs155old/cs155-spring16/lectures/18-mobile-malware.pdf" - ], - "synonyms": [ - "StopSMS" - ] - } - }, - { - "value": "BeanBot", - "description": "BeanBot forwards device's data to a remote server and sends out premium-rate SMS messages from the infected device.", - "meta": { - "refs": [ - "https://www.f-secure.com/v-descs/trojan_android_beanbot.shtml" - ] - } - }, - { - "value": "Kemoge", - "description": "Kemoge is adware that disguises itself as popular apps via repackaging, then allows for a complete takeover of the users Android device.", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html", - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-101207-3555-99" - ] - } - }, - { - "value": "Ghost Push", - "description": "Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious software, masquerading as a system app, and then losing root access, which then makes it virtually impossible to remove the infection even by factory reset unless the firmware is reflashed.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Ghost_Push", - "https://blog.avast.com/how-to-protect-your-android-device-from-ghost-push" - ] - } - }, - { - "value": "BeNews", - "description": "The BeNews app is a backdoor app that uses the name of defunct news site BeNews to appear legitimate. After installation it bypasses restrictions and downloads additional threats to the compromised device.", - "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in-hacking-team-dump-designed-to-bypass-google-play/" - ] - } - }, - { - "value": "Accstealer", - "description": "Accstealer is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-012711-1159-99" - ] - } - }, - { - "value": "Acnetdoor", - "description": "Acnetdoor is a detection for Trojan horses on the Android platform that open a back door on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051611-4258-99" - ] - } - }, - { - "value": "Acnetsteal", - "description": "Acnetsteal is a detection for Trojan horses on the Android platform that steal information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051612-0505-99" - ] - } - }, - { - "value": "Actech", - "description": "Actech is a Trojan horse for Android devices that steals information and sends it to a remote location. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080111-3948-99" - ] - } - }, - { - "value": "AdChina", - "description": "AdChina is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-2947-99" - ] - } - }, - { - "value": "Adfonic", - "description": "Adfonic is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052615-0024-99" - ] - } - }, - { - "value": "AdInfo", - "description": "AdInfo is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2433-99" - ] - } - }, - { - "value": "Adknowledge", - "description": "Adknowledge is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-1033-99" - ] - } - }, - { - "value": "AdMarvel", - "description": "AdMarvel is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-2450-99" - ] - } - }, - { - "value": "AdMob", - "description": "AdMob is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-3437-99" - ] - } - }, - { - "value": "Adrd", - "description": "Adrd is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-021514-4954-99" - ] - } - }, - { - "value": "Aduru", - "description": "Aduru is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-2419-99" - ] - } - }, - { - "value": "Adwhirl", - "description": "Adwhirl is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1414-99" - ] - } - }, - { - "value": "Adwlauncher", - "description": "Adwlauncher is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-082308-1823-99" - ] - } - }, - { - "value": "Adwo", - "description": "Adwo is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-5806-99" - ] - } - }, - { - "value": "Airad", - "description": "Airad is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-1704-99" - ] - } - }, - { - "value": "Alienspy", - "description": "Alienspy is a Trojan horse for Android devices that steals information from the compromised device. It may also download potentially malicious files. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-042714-5942-99" - ] - } - }, - { - "value": "AmazonAds", - "description": "AmazonAds is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-5002-99" - ] - } - }, - { - "value": "Answerbot", - "description": "Answerbot is a Trojan horse that opens a back door on Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-100711-2129-99" - ] - } - }, - { - "value": "Antammi", - "description": "Antammi is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-032106-5211-99" - ] - } - }, - { - "value": "Apkmore", - "description": "Apkmore is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-4813-99" - ] - } - }, - { - "value": "Aplog", - "description": "Aplog is a Trojan horse for Android devices that steals information from the device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-100911-1023-99" - ] - } - }, - { - "value": "Appenda", - "description": "Appenda is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062812-0516-99" - ] - } - }, - { - "value": "Apperhand", - "description": "Apperhand is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5637-99" - ] - } - }, - { - "value": "Appleservice", - "description": "Appleservice is a Trojan horse for Android devices that may steal information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031011-4321-99" - ] - } - }, - { - "value": "AppLovin", - "description": "AppLovin is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-1739-99" - ] - } - }, - { - "value": "Arspam", - "description": "Arspam is a Trojan horse for Android devices that sends spam SMS messages to contacts on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-121915-3251-99" - ] - } - }, - { - "value": "Aurecord", - "description": "Aurecord is a spyware application for Android devices that allows the device it is installed on to be monitored. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-2310-99" - ] - } - }, - { - "value": "Backapp", - "description": "Backapp is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-092708-5017-99" - ] - } - }, - { - "value": "Backdexer", - "description": "Backdexer is a Trojan horse for Android devices that may send premium-rate SMS messages from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-121812-2502-99" - ] - } - }, - { - "value": "Backflash", - "description": "Backflash is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-091714-0427-99" - ] - } - }, - { - "value": "Backscript", - "description": "Backscript is a Trojan horse for Android devices that downloads files onto the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-090704-3639-99" - ] - } - }, - { - "value": "Badaccents", - "description": "Badaccents is a Trojan horse for Android devices that may download apps on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-123015-3618-99" - ] - } - }, - { - "value": "Badpush", - "description": "Badpush is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-4133-99" - ] - } - }, - { - "value": "Ballonpop", - "description": "Ballonpop is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-120911-1731-99" - ] - } - }, - { - "value": "Bankosy", - "description": "Bankosy is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99" - ] - } - }, - { - "value": "Bankun", - "description": "Bankun is a Trojan horse for Android devices that replaces certain banking applications on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-072318-4143-99" - ] - } - }, - { - "value": "Basebridge", - "description": "Basebridge is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-060915-4938-99" - ] - } - }, - { - "value": "Basedao", - "description": "Basedao is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-061715-3303-99" - ] - } - }, - { - "value": "Batterydoctor", - "description": "Batterydoctor is Trojan that makes exaggerated claims about the device's ability to recharge the battery, as well as steal information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-101916-0847-99" - ] - } - }, - { - "value": "Beaglespy", - "description": "Beaglespy is an Android mobile detection for the Beagle spyware program as well as its associated client application.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-091010-0627-99" - ] - } - }, - { - "value": "Becuro", - "description": "Becuro is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-051410-3348-99" - ] - } - }, - { - "value": "Beita", - "description": "Beita is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-110111-1829-99" - ] - } - }, - { - "value": "Bgserv", - "description": "Bgserv is a Trojan that opens a back door and transmits information from the device to a remote location. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-031005-2918-99" - ] - } - }, - { - "value": "Biigespy", - "description": "Biigespy is an Android mobile detection for the Biige spyware program as well as its associated client application. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-091012-0526-99" - ] - } - }, - { - "value": "Bmaster", - "description": "Bmaster is a Trojan horse on the Android platform that opens a back door, downloads files and steals potentially confidential information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99" - ] - } - }, - { - "value": "Bossefiv", - "description": "Bossefiv is a Trojan horse for Android devices that steals information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-061520-4322-99" - ] - } - }, - { - "value": "Boxpush", - "description": "Boxpush is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-4613-99" - ] - } - }, - { - "value": "Burstly", - "description": "Burstly is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1443-99" - ] - } - }, - { - "value": "Buzzcity", - "description": "Buzzcity is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1454-99" - ] - } - }, - { - "value": "ByPush", - "description": "ByPush is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4708-99" - ] - } - }, - { - "value": "Cajino", - "description": "Cajino is a Trojan horse for Android devices that opens a back door on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-040210-3746-99" - ] - } - }, - { - "value": "Casee", - "description": "Casee is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3501-99" - ] - } - }, - { - "value": "Catchtoken", - "description": "Catchtoken is a Trojan horse for Android devices that intercepts SMS messages and opens a back door on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-121619-0548-99" - ] - } - }, - { - "value": "Cauly", - "description": "Cauly is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3454-99" - ] - } - }, - { - "value": "Cellshark", - "description": "Cellshark is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111611-0914-99" - ] - } - }, - { - "value": "Centero", - "description": "Centero is a Trojan horse for Android devices that displays advertisements on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-053006-2502-99" - ] - } - }, - { - "value": "Chuli", - "description": "Chuli is a Trojan horse for Android devices that opens a back door and may steal information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-032617-1604-99" - ] - } - }, - { - "value": "Citmo", - "description": "Citmo is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-5012-99" - ] - } - }, - { - "value": "Claco", - "description": "Claco is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-020415-5600-99" - ] - } - }, - { - "value": "Clevernet", - "description": "Clevernet is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-5257-99" - ] - } - }, - { - "value": "Cnappbox", - "description": "Cnappbox is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-1141-99" - ] - } - }, - { - "value": "Cobblerone", - "description": "Cobblerone is a spyware application for Android devices that can track the phone's location and remotely erase the device.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111514-3846-99" - ] - } - }, - { - "value": "Coolpaperleak", - "description": "Coolpaperleak is a Trojan horse for Android devices that steals information and sends it to a remote location. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080211-5757-99" - ] - } - }, - { - "value": "Coolreaper", - "description": "Coolreaper is a Trojan horse for Android devices that opens a back door on the compromised device. It may also steal information and download potentially malicious files. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-011220-3211-99" - ] - } - }, - { - "value": "Cosha", - "description": "Cosha is a spyware program for Android devices that monitors and sends certain information to a remote location.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-081712-5231-99" - ] - } - }, - { - "value": "Counterclank", - "description": "Counterclank is a Trojan horse for Android devices that steals information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99" - ] - } - }, - { - "value": "Crazymedia", - "description": "Crazymedia is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-2547-99" - ] - } - }, - { - "value": "Crisis", - "description": "Crisis is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-071409-0636-99" - ] - } - }, - { - "value": "Crusewind", - "description": "Crusewind is a Trojan horse for Android devices that sends SMS messages to a premium-rate number. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99" - ] - } - }, - { - "value": "Dandro", - "description": "Dandro is a Trojan horse for Android devices that allows a remote attacker to gain control over the device and steal information from it. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-012916-2128-99" - ] - } - }, - { - "value": "Daoyoudao", - "description": "Daoyoudao is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040214-5018-99" - ] - } - }, - { - "value": "Deathring", - "description": "Deathring is a Trojan horse for Android devices that may perform malicious activities on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-121116-4547-99" - ] - } - }, - { - "value": "Deeveemap", - "description": "Deeveemap is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2017-060907-5221-99" - ] - } - }, - { - "value": "Dendoroid", - "description": "Dendoroid is a Trojan horse for Android devices that opens a back door, steals information, and may perform other malicious activities on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030418-2633-99" - ] - } - }, - { - "value": "Dengaru", - "description": "Dengaru is a Trojan horse for Android devices that performs click-fraud from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-051113-4819-99" - ] - } - }, - { - "value": "Diandong", - "description": "Diandong is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-2453-99" - ] - } - }, - { - "value": "Dianjin", - "description": "Dianjin is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-0313-99" - ] - } - }, - { - "value": "Dogowar", - "description": "Dogowar is a Trojan horse on the Android platform that sends SMS texts to all contacts on the device. It is a repackaged version of a game application called Dog Wars, which can be downloaded from a third party market and must be manually installed. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-081510-4323-99" - ] - } - }, - { - "value": "Domob", - "description": "Domob is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-4235-99" - ] - } - }, - { - "value": "Dougalek", - "description": "Dougalek is a Trojan horse for Android devices that steals information from the compromised device. The threat is typically disguised to display a video. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-041601-3400-99" - ] - } - }, - { - "value": "Dowgin", - "description": "Dowgin is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-033108-4723-99" - ] - } - }, - { - "value": "Droidsheep", - "description": "Droidsheep is a hacktool for Android devices that hijacks social networking accounts on compromised devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031014-3628-99" - ] - } - }, - { - "value": "Dropdialer", - "description": "Dropdialer is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909-0726-99" - ] - } - }, - { - "value": "Dupvert", - "description": "Dupvert is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. It may also perform other malicious activities. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-072313-1959-99" - ] - } - }, - { - "value": "Dynamicit", - "description": "Dynamicit is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-1346-99" - ] - } - }, - { - "value": "Ecardgrabber", - "description": "Ecardgrabber is an application that attempts to read details from NFC enabled credit cards. It attempts to read information from NFC enabled credit cards that are in close proximity.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062215-0939-99" - ] - } - }, - { - "value": "Ecobatry", - "description": "Ecobatry is a Trojan horse for Android devices that steals information and sends it to a remote location. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080606-4102-99" - ] - } - }, - { - "value": "Enesoluty", - "description": "Enesoluty is a Trojan horse for Android devices that steals information and sends it to a remote location. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-090607-0807-99" - ] - } - }, - { - "value": "Everbadge", - "description": "Everbadge is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-3736-99" - ] - } - }, - { - "value": "Ewalls", - "description": "Ewalls is a Trojan horse for the Android operating system that steals information from the mobile device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2010-073014-0854-99" - ] - } - }, - { - "value": "Exprespam", - "description": "Exprespam is a Trojan horse for Android devices that displays a fake message and steals personal information stored on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-010705-2324-99" - ] - } - }, - { - "value": "Fakealbums", - "description": "Fakealbums is a Trojan horse for Android devices that monitors and forwards received messages from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-071819-0636-99" - ] - } - }, - { - "value": "Fakeangry", - "description": "Fakeangry is a Trojan horse on the Android platform that opens a back door, downloads files, and steals potentially confidential information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022823-4233-99" - ] - } - }, - { - "value": "Fakeapp", - "description": "Fakeapp is a Trojan horse for Android devices that downloads configuration files to display advertisements and collects information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022805-4318-99" - ] - } - }, - { - "value": "Fakebanco", - "description": "Fakebanco is a Trojan horse for Android devices that redirects users to a phishing page in order to steal their information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-112109-5329-99" - ] - } - }, - { - "value": "Fakebank", - "description": "Fakebank is a Trojan horse that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-071813-2448-99" - ] - } - }, - { - "value": "Fakebank.B", - "description": "Fakebank.B is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-101114-5645-99" - ] - } - }, - { - "value": "Fakebok", - "description": "Fakebok is a Trojan horse for Android devices that sends SMS messages to premium phone numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-021115-5153-99" - ] - } - }, - { - "value": "Fakedaum", - "description": "Fakedaum is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99" - ] - } - }, - { - "value": "Fakedefender", - "description": "Fakedefender is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-060301-4418-99" - ] - } - }, - { - "value": "Fakedefender.B", - "description": "Fakedefender.B is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-091013-3953-99" - ] - } - }, - { - "value": "Fakedown", - "description": "Fakedown is a Trojan horse for Android devices that downloads more malicious apps onto the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-041803-5918-99" - ] - } - }, - { - "value": "Fakeflash", - "description": "Fakeflash is a Trojan horse for Android devices that installs a fake Flash application in order to direct users to a website. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-070318-2122-99" - ] - } - }, - { - "value": "Fakegame", - "description": "Fakegame is a Trojan horse for Android devices that displays advertisements and steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-040808-2922-99" - ] - } - }, - { - "value": "Fakeguard", - "description": "Fakeguard is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-102908-3526-99" - ] - } - }, - { - "value": "Fakejob", - "description": "Fakejob is a Trojan horse for Android devices that redirects users to scam websites. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030721-3048-99" - ] - } - }, - { - "value": "Fakekakao", - "description": "Fakekakao is a Trojan horse for Android devices sends SMS messages to contacts stored on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-071617-2031-99" - ] - } - }, - { - "value": "Fakelemon", - "description": "Fakelemon is a Trojan horse for Android devices that blocks certain SMS messages and may subscribe to services without the user's consent. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-120609-3608-99" - ] - } - }, - { - "value": "Fakelicense", - "description": "Fakelicense is a Trojan horse that displays advertisements on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-062709-1437-99" - ] - } - }, - { - "value": "Fakelogin", - "description": "Fakelogin is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-102108-5457-99" - ] - } - }, - { - "value": "FakeLookout", - "description": "FakeLookout is a Trojan horse for Android devices that opens a back door and steals information on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-101919-2128-99" - ] - } - }, - { - "value": "FakeMart", - "description": "FakeMart is a Trojan horse for Android devices that may send SMS messages to premium rate numbers. It may also block incoming messages and steal information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99" - ] - } - }, - { - "value": "Fakemini", - "description": "Fakemini is a Trojan horse for Android devices that disguises itself as an installation for the Opera Mini browser and sends premium-rate SMS messages to a predetermined number. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-110410-5958-99" - ] - } - }, - { - "value": "Fakemrat", - "description": "Fakemrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99" - ] - } - }, - { - "value": "Fakeneflic", - "description": "Fakeneflic is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99" - ] - } - }, - { - "value": "Fakenotify", - "description": "Fakenotify is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers, collects and sends information, and periodically displays Web pages. It also downloads legitimate apps onto the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-011302-3052-99" - ] - } - }, - { - "value": "Fakepatch", - "description": "Fakepatch is a Trojan horse for Android devices that downloads more files on to the device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062811-2820-99" - ] - } - }, - { - "value": "Fakeplay", - "description": "Fakeplay is a Trojan horse for Android devices that steals information from the compromised device and sends it to a predetermined email address. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-100917-3825-99" - ] - } - }, - { - "value": "Fakescarav", - "description": "Fakescarav is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to pay in order to remove non-existent malware or security risks from the device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-012809-1901-99" - ] - } - }, - { - "value": "Fakesecsuit", - "description": "Fakesecsuit is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-060514-1301-99" - ] - } - }, - { - "value": "Fakesucon", - "description": "Fakesucon is a Trojan horse program for Android devices that sends SMS messages to premium-rate phone numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-120915-2524-99" - ] - } - }, - { - "value": "Faketaobao", - "description": "Faketaobao is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99" - ] - } - }, - { - "value": "Faketaobao.B", - "description": "Faketaobao.B is a Trojan horse for Android devices that intercepts and and sends incoming SMS messages to a remote attacker. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-012106-4013-99" - ] - } - }, - { - "value": "Faketoken", - "description": "Faketoken is a Trojan horse that opens a back door on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-032211-2048-99", - "http://bgr.com/2017/08/18/android-malware-faketoken-steal-credit-card-info/" - ] - } - }, - { - "value": "Fakeupdate", - "description": "Fakeupdate is a Trojan horse for Android devices that downloads other applications onto the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-081914-5637-99" - ] - } - }, - { - "value": "Fakevoice", - "description": "Fakevoice is a Trojan horse for Android devices that dials a premium-rate phone number. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-040510-3249-99" - ] - } - }, - { - "value": "Farmbaby", - "description": "Farmbaby is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-090715-3641-99" - ] - } - }, - { - "value": "Fauxtocopy", - "description": "Fauxtocopy is a spyware application for Android devices that gathers photos from the device and sends them to a predetermined email address.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111515-3940-99" - ] - } - }, - { - "value": "Feiwo", - "description": "Feiwo is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-4038-99" - ] - } - }, - { - "value": "FindAndCall", - "description": "FindAndCall is a Potentially Unwanted Application for Android devices that may leak information.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-2906-99" - ] - } - }, - { - "value": "Finfish", - "description": "Finfish is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-083016-0032-99" - ] - } - }, - { - "value": "Fireleaker", - "description": "Fireleaker is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-5207-99" - ] - } - }, - { - "value": "Fitikser", - "description": "Fitikser is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-093015-2830-99" - ] - } - }, - { - "value": "Flexispy", - "description": "Flexispy is a Spyware application for Android devices that logs the device's activity and sends it to a predetermined website. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-122006-4805-99" - ] - } - }, - { - "value": "Fokonge", - "description": "Fokonge is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071802-0727-99" - ] - } - }, - { - "value": "FoncySMS", - "description": "FoncySMS is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. It may also connect to an IRC server and execute any received shell commands. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-011502-2651-99" - ] - } - }, - { - "value": "Frogonal", - "description": "Frogonal is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062205-2312-99" - ] - } - }, - { - "value": "Ftad", - "description": "Ftad is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040114-2020-99" - ] - } - }, - { - "value": "Funtasy", - "description": "Funtasy is a Trojan horse for Android devices that subscribes the user to premium SMS services. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-092519-5811-99" - ] - } - }, - { - "value": "GallMe", - "description": "GallMe is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1336-99" - ] - } - }, - { - "value": "Gamex", - "description": "Gamex is a Trojan horse for Android devices that downloads further threats. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051015-1808-99" - ] - } - }, - { - "value": "Gappusin", - "description": "Gappusin is a Trojan horse for Android devices that downloads applications and disguises them as system updates. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022007-2013-99" - ] - } - }, - { - "value": "Gazon", - "description": "Gazon is a worm for Android devices that spreads through SMS messages. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-030320-1436-99" - ] - } - }, - { - "value": "Geinimi", - "description": "Geinimi is a Trojan that opens a back door and transmits information from the device to a remote location. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-010111-5403-99" - ] - } - }, - { - "value": "Generisk", - "description": "Generisk is a generic detection for Android applications that may pose a privacy, security, or stability risk to the user or user's Android device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-062622-1559-99" - ] - } - }, - { - "value": "Genheur", - "description": "Genheur is a generic detection for many individual but varied Trojans for Android devices for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-0848-99" - ] - } - }, - { - "value": "Genpush", - "description": "Genpush is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-033109-0426-99" - ] - } - }, - { - "value": "GeoFake", - "description": "GeoFake is a Trojan horse for Android devices that sends SMS messages to premium-rate numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-040217-3232-99" - ] - } - }, - { - "value": "Geplook", - "description": "Geplook is a Trojan horse for Android devices that downloads additional apps onto the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-121814-0917-99" - ] - } - }, - { - "value": "Getadpush", - "description": "Getadpush is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-0957-99" - ] - } - }, - { - "value": "Ggtracker", - "description": "Ggtracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate number. It may also steal information from the device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-062208-5013-99" - ] - } - }, - { - "value": "Ghostpush", - "description": "Ghostpush is a Trojan horse for Android devices that roots the compromised device. It may then perform malicious activities on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-100215-3718-99" - ] - } - }, - { - "value": "Gmaster", - "description": "Gmaster is a Trojan horse on the Android platform that steals potentially confidential information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99" - ] - } - }, - { - "value": "Godwon", - "description": "Godwon is a Trojan horse for Android devices that steals information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-091017-1833-99" - ] - } - }, - { - "value": "Golddream", - "description": "Golddream is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-070608-4139-99" - ] - } - }, - { - "value": "Goldeneagle", - "description": "Goldeneagle is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-090110-3712-99" - ] - } - }, - { - "value": "Golocker", - "description": "Golocker is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062003-3214-99" - ] - } - }, - { - "value": "Gomal", - "description": "Gomal is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-101312-1047-99" - ] - } - }, - { - "value": "Gonesixty", - "description": "Gonesixty is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99" - ] - } - }, - { - "value": "Gonfu", - "description": "Gonfu is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-060610-3953-99" - ] - } - }, - { - "value": "Gonfu.B", - "description": "Gonfu.B is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-030811-5215-99" - ] - } - }, - { - "value": "Gonfu.C", - "description": "Gonfu.C is a Trojan horse for Android devices that may download additional threats on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031817-3639-99" - ] - } - }, - { - "value": "Gonfu.D", - "description": "Gonfu.D is a Trojan horse that opens a back door on Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-040414-1158-99" - ] - } - }, - { - "value": "Gooboot", - "description": "Gooboot is a Trojan horse for Android devices that may send text messages to premium rate numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031818-3034-99" - ] - } - }, - { - "value": "Goodadpush", - "description": "Goodadpush is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0913-99" - ] - } - }, - { - "value": "Greystripe", - "description": "Greystripe is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-2643-99" - ] - } - }, - { - "value": "Gugespy", - "description": "Gugespy is a spyware program for Android devices that logs the device's activity and sends it to a predetermined email address.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071822-2515-99" - ] - } - }, - { - "value": "Gugespy.B", - "description": "Gugespy.B is a spyware program for Android devices that monitors and sends certain information to a remote location.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-070511-5038-99" - ] - } - }, - { - "value": "Gupno", - "description": "Gupno is a Trojan horse for Android devices that poses as a legitimate app and attempts to charge users for features that are normally free. It may also display advertisements on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-072211-5533-99" - ] - } - }, - { - "value": "Habey", - "description": "Habey is a Trojan horse for Android devices that may attempt to delete files and send SMS messages from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-100608-4512-99" - ] - } - }, - { - "value": "Handyclient", - "description": "Handyclient is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5027-99" - ] - } - }, - { - "value": "Hehe", - "description": "Hehe is a Trojan horse for Android devices that blocks incoming calls and SMS messages from specific numbers. The Trojan also steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-012211-0020-99" - ] - } - }, - { - "value": "Hesperbot", - "description": "Hesperbot is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-121010-1120-99" - ] - } - }, - { - "value": "Hippo", - "description": "Hippo is a Trojan horse that sends SMS messages to premium-rate phone numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071215-3547-99" - ] - } - }, - { - "value": "Hippo.B", - "description": "Hippo.B is a Trojan horse that sends SMS messages to premium-rate phone numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031915-0151-99" - ] - } - }, - { - "value": "IadPush", - "description": "IadPush is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4104-99" - ] - } - }, - { - "value": "iBanking", - "description": "iBanking is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030713-0559-99" - ] - } - }, - { - "value": "Iconosis", - "description": "Iconosis is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062107-3327-99" - ] - } - }, - { - "value": "Iconosys", - "description": "Iconosys is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-081309-0341-99" - ] - } - }, - { - "value": "Igexin", - "description": "Igexin is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-032606-5519-99" - ] - } - }, - { - "value": "ImAdPush", - "description": "ImAdPush is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040323-0218-99" - ] - } - }, - { - "value": "InMobi", - "description": "InMobi is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-1527-99" - ] - } - }, - { - "value": "Jifake", - "description": "Jifake is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-073021-4247-99" - ] - } - }, - { - "value": "Jollyserv", - "description": "Jollyserv is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-090311-4533-99" - ] - } - }, - { - "value": "Jsmshider", - "description": "Jsmshider is a Trojan horse that opens a back door on Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-062114-0857-99" - ] - } - }, - { - "value": "Ju6", - "description": "Ju6 is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2428-99" - ] - } - }, - { - "value": "Jumptap", - "description": "Jumptap is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0859-99" - ] - } - }, - { - "value": "Jzmob", - "description": "Jzmob is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-1703-99" - ] - } - }, - { - "value": "Kabstamper", - "description": "Kabstamper is a Trojan horse for Android devices that corrupts images found on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-060706-2305-99" - ] - } - }, - { - "value": "Kidlogger", - "description": "Kidlogger is a Spyware application for Android devices that logs the device's activity and sends it to a predetermined website.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-122014-1927-99" - ] - } - }, - { - "value": "Kielog", - "description": "Kielog is a Trojan horse for Android devices that logs keystrokes and sends the stolen information to the remote attacker. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-040205-4035-99" - ] - } - }, - { - "value": "Kituri", - "description": "Kituri is a Trojan horse for Android devices that blocks certain SMS messages from being received by the device. It may also send SMS messages to a premium-rate number. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061111-5350-99" - ] - } - }, - { - "value": "Kranxpay", - "description": "Kranxpay is a Trojan horse for Android devices that downloads other apps onto the device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071009-0809-99" - ] - } - }, - { - "value": "Krysanec", - "description": "Krysanec is a Trojan horse for Android devices that opens a back door on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-090113-4128-99" - ] - } - }, - { - "value": "Kuaidian360", - "description": "Kuaidian360 is an advertisement library that is bundled with certain Android applications. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040109-2415-99" - ] - } - }, - { - "value": "Kuguo", - "description": "Kuguo is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-5215-99" - ] - } - }, - { - "value": "Lastacloud", - "description": "Lastacloud is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-121216-4334-99" - ] - } - }, - { - "value": "Laucassspy", - "description": "Laucassspy is a spyware program for Android devices that steals information and sends it to a remote location.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-092409-1822-99" - ] - } - }, - { - "value": "Lifemonspy", - "description": "Lifemonspy is a spyware application for Android devices that can track the phone's location, download SMS messages, and erase certain data from the device.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-5540-99" - ] - } - }, - { - "value": "Lightdd", - "description": "Lightdd is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-053114-2342-99" - ] - } - }, - { - "value": "Loaderpush", - "description": "Loaderpush is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0244-99" - ] - } - }, - { - "value": "Locaspy", - "description": "Locaspy is a Potentially Unwanted Application for Android devices that tracks the location of the compromised device.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030720-3500-99" - ] - } - }, - { - "value": "Lockdroid.E", - "description": "Lockdroid.E is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-103005-2209-99" - ] - } - }, - { - "value": "Lockdroid.F", - "description": "Lockdroid.F is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-102215-4346-99" - ] - } - }, - { - "value": "Lockdroid.G", - "description": "Lockdroid.G is a Trojan horse for Android devices that may display a ransom demand on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-050610-2450-99" - ] - } - }, - { - "value": "Lockdroid.H", - "description": "Lockdroid.H is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2016-031621-1349-99" - ] - } - }, - { - "value": "Lockscreen", - "description": "Lockscreen is a Trojan horse for Android devices that locks the compromised device from use. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-032409-0743-99" - ] - } - }, - { - "value": "LogiaAd", - "description": "LogiaAd is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0348-99" - ] - } - }, - { - "value": "Loicdos", - "description": "Loicdos is an Android application that provides an interface to a website in order to perform a denial of service (DoS) attack against a computer. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022002-2431-99" - ] - } - }, - { - "value": "Loozfon", - "description": "Loozfon is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-082005-5451-99" - ] - } - }, - { - "value": "Lotoor", - "description": "Lotoor is a generic detection for hack tools that exploit vulnerabilities in order to gain root privileges on compromised Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-091922-4449-99" - ] - } - }, - { - "value": "Lovespy", - "description": "Lovespy is a Trojan horse for Android devices that steals information from the device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071814-3805-99" - ] - } - }, - { - "value": "Lovetrap", - "description": "Lovetrap is a Trojan horse that sends SMS messages to premium-rate phone numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99" - ] - } - }, - { - "value": "Luckycat", - "description": "Luckycat is a Trojan horse for Android devices that opens a back door and steals information on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080617-5343-99" - ] - } - }, - { - "value": "Machinleak", - "description": "Machinleak is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-120311-2440-99" - ] - } - }, - { - "value": "Maistealer", - "description": "Maistealer is a Trojan that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-072411-4350-99" - ] - } - }, - { - "value": "Malapp", - "description": "Malapp is a generic detection for many individual but varied threats on Android devices that share similar characteristics. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-073014-3354-99" - ] - } - }, - { - "value": "Malebook", - "description": "Malebook is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071206-3403-99" - ] - } - }, - { - "value": "Malhome", - "description": "Malhome is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071118-0441-99" - ] - } - }, - { - "value": "Malminer", - "description": "Malminer is a Trojan horse for Android devices that mines cryptocurrencies on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032712-3709-99" - ] - } - }, - { - "value": "Mania", - "description": "Mania is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-070623-1520-99" - ] - } - }, - { - "value": "Maxit", - "description": "Maxit is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals certain information and uploads it to a remote location. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-120411-2511-99" - ] - } - }, - { - "value": "MdotM", - "description": "MdotM is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5824-99" - ] - } - }, - { - "value": "Medialets", - "description": "Medialets is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5222-99" - ] - } - }, - { - "value": "Meshidden", - "description": "Meshidden is a spyware application for Android devices that allows the device it is installed on to be monitored.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031913-5257-99" - ] - } - }, - { - "value": "Mesploit", - "description": "Mesploit is a tool for Android devices used to create applications that exploit the Android Fake ID vulnerability.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-032014-2847-99" - ] - } - }, - { - "value": "Mesprank", - "description": "Mesprank is a Trojan horse for Android devices that opens a back door on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030717-1933-99" - ] - } - }, - { - "value": "Meswatcherbox", - "description": "Meswatcherbox is a spyware application for Android devices that forwards SMS messages without the user knowing.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-2736-99" - ] - } - }, - { - "value": "Miji", - "description": "Miji is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4720-99" - ] - } - }, - { - "value": "Milipnot", - "description": "Milipnot is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-070414-0941-99" - ] - } - }, - { - "value": "MillennialMedia", - "description": "MillennialMedia is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4602-99" - ] - } - }, - { - "value": "Mitcad", - "description": "Mitcad is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040212-0528-99" - ] - } - }, - { - "value": "MobClix", - "description": "MobClix is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4011-99" - ] - } - }, - { - "value": "MobFox", - "description": "MobFox is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-3050-99" - ] - } - }, - { - "value": "Mobidisplay", - "description": "Mobidisplay is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-0435-99" - ] - } - }, - { - "value": "Mobigapp", - "description": "Mobigapp is a Trojan horse for Android devices that downloads applications disguised as system updates. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062520-5802-99" - ] - } - }, - { - "value": "MobileBackup", - "description": "MobileBackup is a spyware application for Android devices that monitors the affected device.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-0040-99" - ] - } - }, - { - "value": "Mobilespy", - "description": "Mobilespy is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071512-0653-99" - ] - } - }, - { - "value": "Mobiletx", - "description": "Mobiletx is a Trojan horse for Android devices that steals information from the compromised device. It may also send SMS messages to a premium-rate number. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-052807-4439-99" - ] - } - }, - { - "value": "Mobinaspy", - "description": "Mobinaspy is a spyware application for Android devices that can track the device's location.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-0511-99" - ] - } - }, - { - "value": "Mobus", - "description": "Mobus is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2006-99" - ] - } - }, - { - "value": "MobWin", - "description": "MobWin is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1522-99" - ] - } - }, - { - "value": "Mocore", - "description": "Mocore is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-092112-4603-99" - ] - } - }, - { - "value": "Moghava", - "description": "Moghava is a Trojan horse for Android devices that modifies images that are stored on the device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022712-2822-99" - ] - } - }, - { - "value": "Momark", - "description": "Momark is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-5529-99" - ] - } - }, - { - "value": "Monitorello", - "description": "Monitorello is a spyware application for Android devices that allows the device it is installed on to be monitored.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-4737-99" - ] - } - }, - { - "value": "Moolah", - "description": "Moolah is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1007-99" - ] - } - }, - { - "value": "MoPub", - "description": "MoPub is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-2456-99" - ] - } - }, - { - "value": "Morepaks", - "description": "Morepaks is a Trojan horse for Android devices that downloads remote files and may display advertisements on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071204-1130-99" - ] - } - }, - { - "value": "Nandrobox", - "description": "Nandrobox is a Trojan horse for Android devices that steals information from the compromised device. It also deletes certain SMS messages from the device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-070212-2132-99" - ] - } - }, - { - "value": "Netisend", - "description": "Netisend is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-080207-1139-99" - ] - } - }, - { - "value": "Nickispy", - "description": "Nickispy is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-072714-3613-99" - ] - } - }, - { - "value": "Notcompatible", - "description": "Notcompatible is a Trojan horse for Android devices that acts as a proxy. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-050307-2712-99" - ] - } - }, - { - "value": "Nuhaz", - "description": "Nuhaz is a Trojan horse for Android devices that may intercept text messages on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-3416-99" - ] - } - }, - { - "value": "Nyearleaker", - "description": "Nyearleaker is a Trojan horse program for Android devices that steals information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-010514-0844-99" - ] - } - }, - { - "value": "Obad", - "description": "Obad is a Trojan horse for Android devices that opens a back door, steals information, and downloads files. It also sends SMS messages to premium-rate numbers and spreads malware to Bluetooth-enabled devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99" - ] - } - }, - { - "value": "Oneclickfraud", - "description": "Oneclickfraud is a Trojan horse for Android devices that attempts to coerce a user into paying for a pornographic service. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-011205-4412-99" - ] - } - }, - { - "value": "Opfake", - "description": "Opfake is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99" - ] - } - }, - { - "value": "Opfake.B", - "description": "Opfake.B is a Trojan horse for the Android platform that may receive commands from a remote attacker to perform various functions. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022406-1309-99" - ] - } - }, - { - "value": "Ozotshielder", - "description": "Ozotshielder is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-091505-3230-99" - ] - } - }, - { - "value": "Pafloat", - "description": "Pafloat is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-2015-99" - ] - } - }, - { - "value": "PandaAds", - "description": "PandaAds is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1959-99" - ] - } - }, - { - "value": "Pandbot", - "description": "Pandbot is a Trojan horse for Android devices that may download more files onto the device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071215-1454-99" - ] - } - }, - { - "value": "Pdaspy", - "description": "Pdaspy is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-0749-99" - ] - } - }, - { - "value": "Penetho", - "description": "Penetho is a hacktool for Android devices that can be used to crack the WiFi password of the router that the device is using.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-100110-3614-99" - ] - } - }, - { - "value": "Perkel", - "description": "Perkel is a Trojan horse for Android devices that may steal information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-082811-4213-99" - ] - } - }, - { - "value": "Phimdropper", - "description": "Phimdropper is a Trojan horse for Android devices that sends and intercepts incoming SMS messages. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-021002-2943-99" - ] - } - }, - { - "value": "Phospy", - "description": "Phospy is a Trojan horse for Android devices that steals confidential information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99" - ] - } - }, - { - "value": "Piddialer", - "description": "Piddialer is a Trojan horse for Android devices that dials premium-rate numbers from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-2247-99" - ] - } - }, - { - "value": "Pikspam", - "description": "Pikspam is a Trojan horse for Android devices that sends spam SMS messages from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-121815-0336-99" - ] - } - }, - { - "value": "Pincer", - "description": "Pincer is a Trojan horse for Android devices that steals confidential information and opens a back door on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-052307-3530-99" - ] - } - }, - { - "value": "Pirator", - "description": "Pirator is a Trojan horse on the Android platform that downloads files and steals potentially confidential information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-021609-5740-99" - ] - } - }, - { - "value": "Pjapps", - "description": "Pjapps is a Trojan horse that has been embedded on third party applications and opens a back door on the compromised device. It retrieves commands from a remote command and control server. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-022303-3344-99" - ] - } - }, - { - "value": "Pjapps.B", - "description": "Pjapps.B is a Trojan horse for Android devices that opens a back door on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032014-1624-99" - ] - } - }, - { - "value": "Pletora", - "description": "Pletora is a is a Trojan horse for Android devices that may lock the compromised device. It then asks the user to pay in order to unlock the device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-061217-4345-99" - ] - } - }, - { - "value": "Poisoncake", - "description": "Poisoncake is a Trojan horse for Android devices that opens a back door on the compromised device. It may also download potentially malicious files and steal information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-010610-0726-99" - ] - } - }, - { - "value": "Pontiflex", - "description": "Pontiflex is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-0946-99" - ] - } - }, - { - "value": "Positmob", - "description": "Positmob is a Trojan horse program for Android devices that sends SMS messages to premium rate phone numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111409-1556-99" - ] - } - }, - { - "value": "Premiumtext", - "description": "Premiumtext is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers. These Trojans will often be repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-080213-5308-99" - ] - } - }, - { - "value": "Pris", - "description": "Pris is a Trojan horse for Android devices that silently downloads a malicious application and attempts to open a back door on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061820-5638-99" - ] - } - }, - { - "value": "Qdplugin", - "description": "Qdplugin is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-102510-3330-99" - ] - } - }, - { - "value": "Qicsomos", - "description": "Qicsomos is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-011007-2223-99" - ] - } - }, - { - "value": "Qitmo", - "description": "Qitmo is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030716-4923-99" - ] - } - }, - { - "value": "Rabbhome", - "description": "Rabbhome is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-053007-3750-99" - ] - } - }, - { - "value": "Repane", - "description": "Repane is a Trojan horse for Android devices that steals information and sends SMS messages from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-090411-5052-99" - ] - } - }, - { - "value": "Reputation.1", - "description": "Reputation.1 is a detection for Android files based on analysis performed by Norton Mobile Insight. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022612-2619-99" - ] - } - }, - { - "value": "Reputation.2", - "description": "Reputation.2 is a detection for Android files based on analysis performed by Norton Mobile Insight. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-2629-99" - ] - } - }, - { - "value": "Reputation.3", - "description": "Reputation.3 is a detection for Android files based on analysis performed by Norton Mobile Insight. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-3126-99" - ] - } - }, - { - "value": "RevMob", - "description": "RevMob is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040308-0502-99" - ] - } - }, - { - "value": "Roidsec", - "description": "Roidsec is a Trojan horse for Android devices that steals confidential information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99" - ] - } - }, - { - "value": "Rootcager", - "description": "Rootcager is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-030212-1438-99" - ] - } - }, - { - "value": "Rootnik", - "description": "Rootnik is a Trojan horse for Android devices that steals information and downloads additional apps. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2016-062710-0328-99" - ] - } - }, - { - "value": "Rufraud", - "description": "Rufraud is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-121306-2304-99" - ] - } - }, - { - "value": "Rusms", - "description": "Rusms is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-061711-5009-99" - ] - } - }, - { - "value": "Samsapo", - "description": "Samsapo is a worm for Android devices that spreads by sending SMS messages to all contacts stored on the compromised device. It also opens a back door and downloads files. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-050111-1908-99" - ] - } - }, - { - "value": "Sandorat", - "description": "Sandorat is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-110720-2146-99" - ] - } - }, - { - "value": "Sberick", - "description": "Sberick is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-071014-2146-99" - ] - } - }, - { - "value": "Scartibro", - "description": "Scartibro is a Trojan horse for Android devices that locks the compromised device and asks the user to pay in order to unlock it. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-080718-2038-99" - ] - } - }, - { - "value": "Scipiex", - "description": "Scipiex is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-100814-4702-99" - ] - } - }, - { - "value": "Selfmite", - "description": "Selfmite is a worm for Android devices that spreads through SMS messages. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-070111-5857-99" - ] - } - }, - { - "value": "Selfmite.B", - "description": "Selfmite.B is a worm for Android devices that displays ads on the compromised device. It spreads through SMS messages. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-101013-4717-99" - ] - } - }, - { - "value": "SellARing", - "description": "SellARing is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-3157-99" - ] - } - }, - { - "value": "SendDroid", - "description": "SendDroid is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-2111-99" - ] - } - }, - { - "value": "Simhosy", - "description": "Simhosy is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-061013-3955-99" - ] - } - }, - { - "value": "Simplocker", - "description": "Simplocker is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-060610-5533-99" - ] - } - }, - { - "value": "Simplocker.B", - "description": "Simplocker.B is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-072317-1950-99" - ] - } - }, - { - "value": "Skullkey", - "description": "Skullkey is a Trojan horse for Android devices that gives the attacker remote control of the compromised device to perform malicious activity. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99" - ] - } - }, - { - "value": "Smaato", - "description": "Smaato is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052622-1755-99" - ] - } - }, - { - "value": "Smbcheck", - "description": "Smbcheck is a hacktool for Android devices that can trigger a Server Message Block version 2 (SMBv2) vulnerability and may cause the target computer to crash.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-5634-99" - ] - } - }, - { - "value": "Smsblocker", - "description": "Smsblocker is a generic detection for threats on Android devices that block the transmission of SMS messages. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-081607-4001-99" - ] - } - }, - { - "value": "Smsbomber", - "description": "Smsbomber is a program that can be used to send messages to contacts on the device.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-112611-5837-99" - ] - } - }, - { - "value": "Smslink", - "description": "Smslink is a Trojan horse for Android devices that may send malicious SMS messages from the compromised device. It may also display advertisements. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-112600-3035-99" - ] - } - }, - { - "value": "Smspacem", - "description": "Smspacem is a Trojan horse that may send SMS messages from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-052310-1322-99" - ] - } - }, - { - "value": "SMSReplicator", - "description": "SMSReplicator is a spying utility that will secretly transmit incoming SMS messages to another phone of the installer's choice. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99" - ] - } - }, - { - "value": "Smssniffer", - "description": "Smssniffer is a Trojan horse that intercepts SMS messages on Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071108-3626-99" - ] - } - }, - { - "value": "Smsstealer", - "description": "Smsstealer is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-121514-0214-99" - ] - } - }, - { - "value": "Smstibook", - "description": "Smstibook is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-051207-4833-99" - ] - } - }, - { - "value": "Smszombie", - "description": "Smszombie is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-082011-0922-99" - ] - } - }, - { - "value": "Snadapps", - "description": "Snadapps is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071807-3111-99" - ] - } - }, - { - "value": "Sockbot", - "description": "Sockbot is a Trojan horse for Android devices that creates a SOCKS proxy on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2017-101314-1353-99" - ] - } - }, - { - "value": "Sockrat", - "description": "Sockrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-110509-4646-99" - ] - } - }, - { - "value": "Sofacy", - "description": "Sofacy is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2017-010508-5201-99" - ] - } - }, - { - "value": "Sosceo", - "description": "Sosceo is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040408-0609-99" - ] - } - }, - { - "value": "Spitmo", - "description": "Spitmo is a Trojan horse that steals information from Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-091407-1435-99" - ] - } - }, - { - "value": "Spitmo.B", - "description": "Spitmo.B is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-0445-99" - ] - } - }, - { - "value": "Spyagent", - "description": "Spyagent is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-090710-1836-99" - ] - } - }, - { - "value": "Spybubble", - "description": "Spybubble is a Spyware application for Android devices that logs the device's activity and sends it to a predetermined website.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-121917-0335-99" - ] - } - }, - { - "value": "Spydafon", - "description": "Spydafon is a Potentially Unwanted Application for Android devices that monitors the affected device.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030722-4740-99" - ] - } - }, - { - "value": "Spymple", - "description": "Spymple is a spyware application for Android devices that allows the device it is installed on to be monitored.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-5403-99" - ] - } - }, - { - "value": "Spyoo", - "description": "Spyoo is a spyware program for Android devices that records and sends certain information to a remote location.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-081709-0457-99" - ] - } - }, - { - "value": "Spytekcell", - "description": "Spytekcell is a spyware program for Android devices that monitors and sends certain information to a remote location.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-121021-0730-99" - ] - } - }, - { - "value": "Spytrack", - "description": "Spytrack is a spyware program for Android devices that periodically sends certain information to a remote location.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080109-5710-99" - ] - } - }, - { - "value": "Spywaller", - "description": "Spywaller is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-121807-0203-99" - ] - } - }, - { - "value": "Stealthgenie", - "description": "Stealthgenie is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99" - ] - } - }, - { - "value": "Steek", - "description": "Steek is a potentially unwanted application that is placed on a download website for Android applications and disguised as popular applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-010911-3142-99" - ] - } - }, - { - "value": "Stels", - "description": "Stels is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-032910-0254-99" - ] - } - }, - { - "value": "Stiniter", - "description": "Stiniter is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-030903-5228-99" - ] - } - }, - { - "value": "Sumzand", - "description": "Sumzand is a Trojan horse for Android devices that steals information and sends it to a remote location. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080308-2851-99" - ] - } - }, - { - "value": "Sysecsms", - "description": "Sysecsms is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-122714-5228-99" - ] - } - }, - { - "value": "Tanci", - "description": "Tanci is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4108-99" - ] - } - }, - { - "value": "Tapjoy", - "description": "Tapjoy is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-4702-99" - ] - } - }, - { - "value": "Tapsnake", - "description": "Tapsnake is a Trojan horse for Android phones that is embedded into a game. It tracks the phone's location and posts it to a remote web service. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2010-081214-2657-99" - ] - } - }, - { - "value": "Tascudap", - "description": "Tascudap is a Trojan horse for Android devices that uses the compromised device in denial of service attacks. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-121312-4547-99" - ] - } - }, - { - "value": "Teelog", - "description": "Teelog is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-040215-2736-99" - ] - } - }, - { - "value": "Temai", - "description": "Temai is a Trojan horse for Android applications that opens a back door and downloads malicious files onto the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99" - ] - } - }, - { - "value": "Tetus", - "description": "Tetus is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-012409-4705-99" - ] - } - }, - { - "value": "Tgpush", - "description": "Tgpush is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032816-0259-99" - ] - } - }, - { - "value": "Tigerbot", - "description": "Tigerbot is a Trojan horse for Android devices that opens a back door on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-041010-2221-99" - ] - } - }, - { - "value": "Tonclank", - "description": "Tonclank is a Trojan horse that steals information and may open a back door on Android devices. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99" - ] - } - }, - { - "value": "Trogle", - "description": "Trogle is a worm for Android devices that may steal information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-081213-5553-99" - ] - } - }, - { - "value": "Twikabot", - "description": "Twikabot is a Trojan horse for Android devices that attempts to steal information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062614-5813-99" - ] - } - }, - { - "value": "Uapush", - "description": "Uapush is a Trojan horse for Android devices that steals information from the compromised device. It may also display advertisements and send SMS messages from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-040114-2910-99" - ] - } - }, - { - "value": "Umeng", - "description": "Umeng is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5749-99" - ] - } - }, - { - "value": "Updtbot", - "description": "Updtbot is a Trojan horse for Android devices that may arrive through SMS messages. It may then open a back door on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-041611-4136-99" - ] - } - }, - { - "value": "Upush", - "description": "Upush is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-0733-99" - ] - } - }, - { - "value": "Uracto", - "description": "Uracto is a Trojan horse for Android devices that steals personal information and sends spam SMS messages to contacts found on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-031805-2722-99" - ] - } - }, - { - "value": "Uranico", - "description": "Uranico is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-052803-3835-99" - ] - } - }, - { - "value": "Usbcleaver", - "description": "Usbcleaver is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99" - ] - } - }, - { - "value": "Utchi", - "description": "Utchi is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-2536-99" - ] - } - }, - { - "value": "Uten", - "description": "Uten is a Trojan horse for Android devices that may send, block, and delete SMS messages on a compromised device. It may also download and install additional applications and attempt to gain root privileges. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-092316-4752-99" - ] - } - }, - { - "value": "Uupay", - "description": "Uupay is a Trojan horse for Android devices that steals information from the compromised device. It may also download additional malware. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-061714-1550-99" - ] - } - }, - { - "value": "Uxipp", - "description": "Uxipp is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99" - ] - } - }, - { - "value": "Vdloader", - "description": "Vdloader is a Trojan horse for Android devices that opens a back door on the compromised device and steals confidential information. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080209-1420-99" - ] - } - }, - { - "value": "VDopia", - "description": "VDopia is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-1559-99" - ] - } - }, - { - "value": "Virusshield", - "description": "Virusshield is a Trojan horse for Android devices that claims to scan apps and protect personal information, but has no real functionality. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040810-5457-99" - ] - } - }, - { - "value": "VServ", - "description": "VServ is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-3117-99" - ] - } - }, - { - "value": "Walkinwat", - "description": "Walkinwat is a Trojan horse that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-033008-4831-99" - ] - } - }, - { - "value": "Waps", - "description": "Waps is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040406-5437-99" - ] - } - }, - { - "value": "Waren", - "description": "Waren is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5501-99" - ] - } - }, - { - "value": "Windseeker", - "description": "Windseeker is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-101519-0720-99" - ] - } - }, - { - "value": "Wiyun", - "description": "Wiyun is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-5646-99" - ] - } - }, - { - "value": "Wooboo", - "description": "Wooboo is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-5829-99" - ] - } - }, - { - "value": "Wqmobile", - "description": "Wqmobile is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4926-99" - ] - } - }, - { - "value": "YahooAds", - "description": "YahooAds is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-3229-99" - ] - } - }, - { - "value": "Yatoot", - "description": "Yatoot is a Trojan horse for Android devices that steals information from the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-031408-4748-99" - ] - } - }, - { - "value": "Yinhan", - "description": "Yinhan is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-3350-99" - ] - } - }, - { - "value": "Youmi", - "description": "Youmi is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4318-99" - ] - } - }, - { - "value": "YuMe", - "description": "YuMe is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-0322-99" - ] - } - }, - { - "value": "Zeahache", - "description": "Zeahache is a Trojan horse that elevates privileges on the compromised device. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2011-032309-5042-99" - ] - } - }, - { - "value": "ZertSecurity", - "description": "ZertSecurity is a Trojan horse for Android devices that steals information and sends it to a remote attacker. ", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2013-050820-4100-99" - ] - } - }, - { - "value": "ZestAdz", - "description": "ZestAdz is an advertisement library that is bundled with certain Android applications.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052616-3821-99" - ] - } - }, - { - "value": "Zeusmitmo", - "description": "Zeusmitmo is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99" - ] - } - }, - { - "value": "SLocker", - "description": "The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.", - "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-pocket-sized-badness/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/" - ], - "synonyms": [ - "SMSLocker" - ] - } - }, - { - "value": "Loapi", - "description": "A malware strain known as Loapi will damage phones if users don't remove it from their devices. Left to its own means, this modular threat will download a Monero cryptocurrency miner that will overheat and overwork the phone's components, which will make the battery bulge, deform the phone's cover, or even worse. Discovered by Kaspersky Labs, researchers say Loapi appears to have evolved from Podec, a malware strain spotted in 2015.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/android-malware-will-destroy-your-phone-no-ifs-and-buts-about-it/" - ] - } - }, - { - "value": "Podec", - "description": "Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015.\nThe updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.", - "meta": { - "refs": [ - "https://securelist.com/sms-trojan-bypasses-captcha/69169//" - ] - } - } - ], - "version": 4, - "uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa", - "description": "Android malware galaxy based on multiple open sources.", - "authors": [ - "Unknown" - ], - "source": "Open Sources", - "type": "android", - "name": "Android" -} + "values": [ + { + "value": "CopyCat", + "description": "CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote \u2013 a daemon responsible for launching apps in the Android operating system \u2013 that allows the malware to control any activity on the device.", + "meta": { + "refs": [ + "https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/" + ] + }, + "uuid": "40aa797a-ee87-43a1-8755-04d040dbea28" + }, + { + "value": "Andr/Dropr-FH", + "description": "Andr/Dropr-FH can silently record audio and video, monitor texts and calls, modify files, and ultimately spawn ransomware.", + "meta": { + "refs": [ + "https://nakedsecurity.sophos.com/2017/07/21/watch-out-for-the-android-malware-that-snoops-on-your-phone/", + "https://www.neowin.net/news/the-ghostctrl-android-malware-can-silently-record-your-audio-and-steal-sensitive-data" + ], + "synonyms": [ + "GhostCtrl" + ] + }, + "uuid": "a01e1d0b-5303-4d11-94dc-7db74f3d599d" + }, + { + "value": "Judy", + "description": "The malware, dubbed Judy, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.", + "meta": { + "refs": [ + "http://fortune.com/2017/05/28/android-malware-judy/", + "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" + ] + }, + "uuid": "1a73ceaf-7054-4882-be82-8994805676fc" + }, + { + "value": "RedAlert2", + "description": "The trojan waits in hiding until the user opens a banking or social media app. When this happens, the trojan shows an HTML-based overlay on top of the original app, alerting the user of an error, and asking to reauthenticate. Red Alert then collects the user's credentials and sends them to its C&C server.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/" + ] + }, + "uuid": "d10f8cd5-0077-4d8f-9145-03815a68dd33" + }, + { + "value": "Tizi", + "description": "Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.", + "meta": { + "refs": [ + "https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html" + ] + }, + "uuid": "8f374460-aa58-4a31-98cb-58db42d0902a" + }, + { + "value": "DoubleLocker", + "description": "DoubleLocker can change the device\u2019s PIN, preventing victims from accessing their devices, and also encrypts the data requesting a ransom. It will misuse accessibility services after being installed by impersonating the Adobe Flash player - similar to BankBot.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" + ] + }, + "uuid": "6671bb0b-4fab-44a7-92f9-f641a887a0aa" + }, + { + "value": "Svpeng", + "description": "Svpeng is a Banking trojan which acts as a keylogger. If the Android device is not Russian, Svpeng will ask for permission to use accessibility services. In abusing this service it will gain administrator rights allowing it to draw over other apps, send and receive SMS and take screenshots when keys are pressed. ", + "meta": { + "refs": [ + "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/", + "https://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/" + ], + "synonyms": [ + "Invisble Man" + ] + }, + "uuid": "426ead34-b3e6-45c7-ba22-5b8f3b8214bd" + }, + { + "value": "LokiBot", + "description": "LokiBot is a banking trojan for Android 4.0 and higher. It can steal the information and send SMS messages. It has the ability to start web browsers, and banking applications, along with showing notifications impersonating other apps. Upon attempt to remove it will encrypt the devices' external storage requiring Bitcoins to decrypt files.", + "meta": { + "refs": [ + "https://clientsidedetection.com/lokibot___the_first_hybrid_android_malware.html" + ] + }, + "uuid": "fbda9705-677b-4c5b-9b0b-13b52eff587c" + }, + { + "value": "BankBot", + "description": "The main goal of this malware is to steal banking credentials from the victim\u2019s device. It usually impersonates flash player updaters, android system tools, or other legitimate applications.", + "meta": { + "refs": [ + "https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot", + "https://forensics.spreitzenbarth.de/android-malware/", + "https://blog.avast.com/mobile-banking-trojan-sneaks-into-google-play-targeting-wells-fargo-chase-and-citibank-customers" + ] + }, + "uuid": "4ed03b03-a34f-4583-9db1-6c58a4bd952b" + }, + { + "value": "Viking Horde", + "description": "In rooted devices, Viking Horde installs software and executes code remotely to get access to the mobile data.", + "meta": { + "refs": [ + "http://www.alwayson-network.com/worst-types-android-malware-2016/" + ] + }, + "uuid": "c62a6121-2ebc-4bee-a25a-5285bf33328a" + }, + { + "value": "HummingBad", + "description": "A Chinese advertising company has developed this malware. The malware has the power to take control of devices; it forces users to click advertisements and download apps. The malware uses a multistage attack chain.", + "meta": { + "refs": [ + "http://www.alwayson-network.com/worst-types-android-malware-2016/", + "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" + ] + }, + "uuid": "f5cacc72-f02a-42d1-a020-7a59650086bb" + }, + { + "value": "Ackposts", + "description": "Ackposts is a Trojan horse for Android devices that steals the Contacts information from the compromised device and sends it to a predetermined location.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-072302-3943-99" + ] + }, + "uuid": "8261493f-c9a3-4946-874f-fe8445aa7691" + }, + { + "value": "Wirex", + "description": "Wirex is a Trojan horse for Android devices that opens a backdoor on the compromised device which then joins a botnet for conducting click fraud.", + "meta": { + "refs": [ + "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/", + "http://www.zdnet.com/article/wirex-ddos-malware-given-udp-flood-capabilities/" + ] + }, + "uuid": "0b4f1af0-e0fb-4148-b08c-f6782757752a" + }, + { + "value": "WannaLocker", + "description": "WannaLocker is a strain of ransomware for Android devices that encrypts files on the device's external storage and demands a payment to decrypt them.", + "meta": { + "refs": [ + "https://fossbytes.com/wannalocker-ransomware-wannacry-android/" + ] + }, + "uuid": "db4ddfc4-4f39-4e0b-905f-4703ed6b39b6" + }, + { + "value": "Switcher", + "description": "Switcher is a Trojan horse for Android devices that modifies Wi-Fi router DNS settings. Swticher attempts to infiltrate a router's admin interface on the devices' WIFI network by using brute force techniques. If the attack succeeds, Switcher alters the DNS settings of the router, making it possible to reroute DNS queries to a network controlled by the malicious actors.", + "meta": { + "refs": [ + "http://www.zdnet.com/article/this-android-infecting-trojan-malware-uses-your-phone-to-attack-your-router/", + "https://www.theregister.co.uk/2017/01/03/android_trojan_targets_routers/", + "https://www.symantec.com/security_response/writeup.jsp?docid=2017-090410-0547-99" + ] + }, + "uuid": "60857664-0671-4b12-ade9-86ee6ecb026a" + }, + { + "value": "Vibleaker", + "description": "Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user's phone for the Viber app, and then steal photos and videos recorded or sent through the app.", + "meta": { + "refs": [ + "http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-videos-505758.shtml" + ] + }, + "uuid": "27354d65-ca90-4f73-b942-13046e61700c" + }, + { + "value": "ExpensiveWall", + "description": "ExpensiveWall is Android malware that sends fraudulent premium SMS messages and charges users accounts for fake services without their knowledge", + "meta": { + "refs": [ + "https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/", + "http://fortune.com/2017/09/14/google-play-android-malware/" + ] + }, + "uuid": "1484d72b-54d0-41b7-a9fa-18db9e9e5c69" + }, + { + "value": "Cepsohord", + "description": "Cepsohord is a Trojan horse for Android devices that uses compromised devices to commit click fraud, modify DNS settings, randomly delete essential files, and download additional malware such as ransomware.", + "meta": { + "refs": [ + "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/cepsohord" + ] + }, + "uuid": "05b0c492-e1ef-4352-a714-b813e54b9032" + }, + { + "value": "Fakem Rat", + "description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages).", + "meta": { + "refs": [ + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf", + "https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99" + ] + }, + "uuid": "c657075e-3ffb-4748-bfe2-f40c3527739f" + }, + { + "value": "GM Bot", + "description": "GM Bot \u2013 also known as Acecard, SlemBunk, or Bankosy \u2013 scams people into giving up their banking log-in credentials and other personal data by displaying overlays that look nearly identical to banking apps log-in pages. Subsequently, the malware intercepts SMS to obtain two-factor authentication PINs, giving cybercriminals full access to bank accounts.", + "meta": { + "refs": [ + "https://blog.avast.com/android-trojan-gm-bot-is-evolving-and-targeting-more-than-50-banks-worldwide" + ], + "synonyms": [ + "Acecard", + "SlemBunk", + "Bankosy" + ] + }, + "uuid": "3d3aa832-8847-47c5-9e31-ef13ab7ab6fb" + }, + { + "value": "Moplus", + "description": "The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the user\u2019s device, and this connection is established in the background without the user\u2019s knowledge.", + "meta": { + "refs": [ + "http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html" + ] + }, + "uuid": "d3f2ec07-4af3-4b3b-9cf0-2dba08bf5e68" + }, + { + "value": "Adwind", + "description": "Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. According to the author, the backdoor component can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.", + "meta": { + "refs": [ + "https://securelist.com/adwind-faq/73660/" + ], + "synonyms": [ + "AlienSpy", + "Frutas", + "Unrecom", + "Sockrat", + "Jsocket", + "jRat", + "Backdoor:Java/Adwind" + ] + }, + "uuid": "ce1a9641-5bb8-4a61-990a-870e9ef36ac1" + }, + { + "value": "AdSms", + "description": "Adsms is a Trojan horse that may send SMS messages from Android devices.", + "meta": { + "refs": [ + "https://www.fortiguard.com/encyclopedia/virus/7389670", + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-051313-4039-99" + ] + }, + "uuid": "55b6621f-f928-4530-8271-5150e5f39211" + }, + { + "value": "Airpush", + "description": "Airpush is a very aggresive Ad - Network", + "meta": { + "refs": [ + "https://crypto.stanford.edu/cs155old/cs155-spring16/lectures/18-mobile-malware.pdf" + ], + "synonyms": [ + "StopSMS" + ] + }, + "uuid": "1393cccf-19c0-4cc8-8488-8156672d87ba" + }, + { + "value": "BeanBot", + "description": "BeanBot forwards device's data to a remote server and sends out premium-rate SMS messages from the infected device.", + "meta": { + "refs": [ + "https://www.f-secure.com/v-descs/trojan_android_beanbot.shtml" + ] + }, + "uuid": "8dbacb31-2ae9-4c0a-bf62-d017b802d345" + }, + { + "value": "Kemoge", + "description": "Kemoge is adware that disguises itself as popular apps via repackaging, then allows for a complete takeover of the users Android device.", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html", + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-101207-3555-99" + ] + }, + "uuid": "0c769e82-df28-4f65-97f5-7f3d88488f2e" + }, + { + "value": "Ghost Push", + "description": "Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious software, masquerading as a system app, and then losing root access, which then makes it virtually impossible to remove the infection even by factory reset unless the firmware is reflashed.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Ghost_Push", + "https://blog.avast.com/how-to-protect-your-android-device-from-ghost-push" + ] + }, + "uuid": "c878cdfc-ab8b-40f1-9173-e62a51e6f804" + }, + { + "value": "BeNews", + "description": "The BeNews app is a backdoor app that uses the name of defunct news site BeNews to appear legitimate. After installation it bypasses restrictions and downloads additional threats to the compromised device.", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in-hacking-team-dump-designed-to-bypass-google-play/" + ] + }, + "uuid": "281cf173-d547-4b37-a372-447caab577be" + }, + { + "value": "Accstealer", + "description": "Accstealer is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-012711-1159-99" + ] + }, + "uuid": "cbc1c053-5ee8-40c9-96c2-431ac6852fe1" + }, + { + "value": "Acnetdoor", + "description": "Acnetdoor is a detection for Trojan horses on the Android platform that open a back door on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051611-4258-99" + ] + }, + "uuid": "b36f7ce2-e208-4879-9a3f-58623727f887" + }, + { + "value": "Acnetsteal", + "description": "Acnetsteal is a detection for Trojan horses on the Android platform that steal information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051612-0505-99" + ] + }, + "uuid": "dbbc6b6f-fa87-4fdc-880d-7c22c2723c58" + }, + { + "value": "Actech", + "description": "Actech is a Trojan horse for Android devices that steals information and sends it to a remote location. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080111-3948-99" + ] + }, + "uuid": "0bf67f5b-0bcc-41e0-8db9-2b8df8cf1d03" + }, + { + "value": "AdChina", + "description": "AdChina is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-2947-99" + ] + }, + "uuid": "33a06139-1c18-4a9a-b86b-440c43266b15" + }, + { + "value": "Adfonic", + "description": "Adfonic is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052615-0024-99" + ] + }, + "uuid": "a02b2327-525a-4343-9c76-64f2c984c536" + }, + { + "value": "AdInfo", + "description": "AdInfo is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2433-99" + ] + }, + "uuid": "a1737465-7af6-4362-b938-3a3fa737ebb7" + }, + { + "value": "Adknowledge", + "description": "Adknowledge is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-1033-99" + ] + }, + "uuid": "dd626b23-173c-4737-b9d7-c44571c1abb3" + }, + { + "value": "AdMarvel", + "description": "AdMarvel is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-2450-99" + ] + }, + "uuid": "6eb47eef-898e-4d74-9f85-ac9c99250e9b" + }, + { + "value": "AdMob", + "description": "AdMob is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-3437-99" + ] + }, + "uuid": "932d18c5-6332-4334-83fc-4af3c46a4992" + }, + { + "value": "Adrd", + "description": "Adrd is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-021514-4954-99" + ] + }, + "uuid": "121b8084-fdfd-4746-9675-cf8a191bf6d9" + }, + { + "value": "Aduru", + "description": "Aduru is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-2419-99" + ] + }, + "uuid": "3476c6dd-3cb0-443d-8668-0f731616b068" + }, + { + "value": "Adwhirl", + "description": "Adwhirl is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1414-99" + ] + }, + "uuid": "6fe8fd1b-a7d9-4ece-95f5-fdaaa0acd797" + }, + { + "value": "Adwlauncher", + "description": "Adwlauncher is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-082308-1823-99" + ] + }, + "uuid": "8ee649b6-8379-4b01-8997-dc7c82e22bb5" + }, + { + "value": "Adwo", + "description": "Adwo is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-5806-99" + ] + }, + "uuid": "5c979585-51c3-427c-a23d-cbe43083ce2d" + }, + { + "value": "Airad", + "description": "Airad is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-1704-99" + ] + }, + "uuid": "5824688f-e91c-44ab-ae2e-392299e9d071" + }, + { + "value": "Alienspy", + "description": "Alienspy is a Trojan horse for Android devices that steals information from the compromised device. It may also download potentially malicious files. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-042714-5942-99" + ] + }, + "uuid": "680a1677-9bff-4285-9394-62b1ce096c84" + }, + { + "value": "AmazonAds", + "description": "AmazonAds is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-5002-99" + ] + }, + "uuid": "3a94a731-4566-4cc5-8c01-d651dc11b8a5" + }, + { + "value": "Answerbot", + "description": "Answerbot is a Trojan horse that opens a back door on Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-100711-2129-99" + ] + }, + "uuid": "b8f8d1c1-5f33-4b13-8ecf-2383e3213713" + }, + { + "value": "Antammi", + "description": "Antammi is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-032106-5211-99" + ] + }, + "uuid": "bbc13ff1-0cee-4c30-a864-2c6a341ac365" + }, + { + "value": "Apkmore", + "description": "Apkmore is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-4813-99" + ] + }, + "uuid": "f45b87cf-6811-427c-84ff-027898b0592a" + }, + { + "value": "Aplog", + "description": "Aplog is a Trojan horse for Android devices that steals information from the device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-100911-1023-99" + ] + }, + "uuid": "600da14d-a959-4a06-9a13-85ff50cb05b4" + }, + { + "value": "Appenda", + "description": "Appenda is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062812-0516-99" + ] + }, + "uuid": "1840c69b-f340-444e-a4e5-ac324c8214eb" + }, + { + "value": "Apperhand", + "description": "Apperhand is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5637-99" + ] + }, + "uuid": "2c199154-888b-4444-8d21-622ed62e6e63" + }, + { + "value": "Appleservice", + "description": "Appleservice is a Trojan horse for Android devices that may steal information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031011-4321-99" + ] + }, + "uuid": "920b0561-abc9-409e-92b1-3b13b7d21a06" + }, + { + "value": "AppLovin", + "description": "AppLovin is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-1739-99" + ] + }, + "uuid": "e212433e-6dac-40ab-8793-8dcfe4a1538f" + }, + { + "value": "Arspam", + "description": "Arspam is a Trojan horse for Android devices that sends spam SMS messages to contacts on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-121915-3251-99" + ] + }, + "uuid": "e565a78c-8fa8-419b-b235-1fafa500686c" + }, + { + "value": "Aurecord", + "description": "Aurecord is a spyware application for Android devices that allows the device it is installed on to be monitored. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-2310-99" + ] + }, + "uuid": "80a800a7-01ec-4712-9d2b-2382f7bf9201" + }, + { + "value": "Backapp", + "description": "Backapp is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-092708-5017-99" + ] + }, + "uuid": "a4100d65-78d0-47ec-b939-709447641bab" + }, + { + "value": "Backdexer", + "description": "Backdexer is a Trojan horse for Android devices that may send premium-rate SMS messages from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-121812-2502-99" + ] + }, + "uuid": "27c289c7-a661-4322-9c21-8053f347e457" + }, + { + "value": "Backflash", + "description": "Backflash is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-091714-0427-99" + ] + }, + "uuid": "da8cc77b-a26d-43da-a47a-a50892c08edd" + }, + { + "value": "Backscript", + "description": "Backscript is a Trojan horse for Android devices that downloads files onto the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-090704-3639-99" + ] + }, + "uuid": "d9f11a96-5f9a-48b6-9dac-735ca4fca4d2" + }, + { + "value": "Badaccents", + "description": "Badaccents is a Trojan horse for Android devices that may download apps on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-123015-3618-99" + ] + }, + "uuid": "1442e5a8-d2cf-48cd-86e5-276a9dfc0bae" + }, + { + "value": "Badpush", + "description": "Badpush is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-4133-99" + ] + }, + "uuid": "ceacaa80-471e-4e38-b648-78b000771076" + }, + { + "value": "Ballonpop", + "description": "Ballonpop is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-120911-1731-99" + ] + }, + "uuid": "6f957cc5-467b-4465-b14d-ccc6f2206543" + }, + { + "value": "Bankosy", + "description": "Bankosy is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99" + ] + }, + "uuid": "620981e8-49c8-486a-b30c-359702c8ffbc" + }, + { + "value": "Bankun", + "description": "Bankun is a Trojan horse for Android devices that replaces certain banking applications on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-072318-4143-99" + ] + }, + "uuid": "bc45ca3c-a6fa-408d-bfab-cc845ffde1e2" + }, + { + "value": "Basebridge", + "description": "Basebridge is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-060915-4938-99" + ] + }, + "uuid": "9ae60aaa-bcdb-46a1-a1da-d779cb13cb2b" + }, + { + "value": "Basedao", + "description": "Basedao is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-061715-3303-99" + ] + }, + "uuid": "9d625454-80a7-4c56-bb90-c0a678c6dec1" + }, + { + "value": "Batterydoctor", + "description": "Batterydoctor is Trojan that makes exaggerated claims about the device's ability to recharge the battery, as well as steal information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-101916-0847-99" + ] + }, + "uuid": "5bd321b1-afef-482f-b160-2e209dffb390" + }, + { + "value": "Beaglespy", + "description": "Beaglespy is an Android mobile detection for the Beagle spyware program as well as its associated client application.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-091010-0627-99" + ] + }, + "uuid": "2e3ad1af-e24c-4b1c-87cb-360dab4d90a9" + }, + { + "value": "Becuro", + "description": "Becuro is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-051410-3348-99" + ] + }, + "uuid": "dd83dbc7-9ffa-4ca7-a8c3-6b27bde4c3bd" + }, + { + "value": "Beita", + "description": "Beita is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-110111-1829-99" + ] + }, + "uuid": "4baa74be-682f-4a38-b4b1-aceba8f48009" + }, + { + "value": "Bgserv", + "description": "Bgserv is a Trojan that opens a back door and transmits information from the device to a remote location. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-031005-2918-99" + ] + }, + "uuid": "e4a18a09-09ed-4ca8-93b8-be946e9f560c" + }, + { + "value": "Biigespy", + "description": "Biigespy is an Android mobile detection for the Biige spyware program as well as its associated client application. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-091012-0526-99" + ] + }, + "uuid": "7a46c9c6-9af5-41e6-a625-aa14009c528e" + }, + { + "value": "Bmaster", + "description": "Bmaster is a Trojan horse on the Android platform that opens a back door, downloads files and steals potentially confidential information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99" + ] + }, + "uuid": "9ac3232d-b533-44d6-9b73-4341e2cba4b4" + }, + { + "value": "Bossefiv", + "description": "Bossefiv is a Trojan horse for Android devices that steals information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-061520-4322-99" + ] + }, + "uuid": "45d85c09-8bed-4c4e-b1d1-4784737734a5" + }, + { + "value": "Boxpush", + "description": "Boxpush is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-4613-99" + ] + }, + "uuid": "412bb5c6-a5fd-4f36-939e-47f87cc3edae" + }, + { + "value": "Burstly", + "description": "Burstly is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1443-99" + ] + }, + "uuid": "74053925-b076-47b0-8c23-bb90ff89653c" + }, + { + "value": "Buzzcity", + "description": "Buzzcity is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1454-99" + ] + }, + "uuid": "604430f2-8109-40a6-8224-39d2790914e5" + }, + { + "value": "ByPush", + "description": "ByPush is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4708-99" + ] + }, + "uuid": "7c373640-5830-4f23-b122-3fb4f7af0b64" + }, + { + "value": "Cajino", + "description": "Cajino is a Trojan horse for Android devices that opens a back door on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-040210-3746-99" + ] + }, + "uuid": "388ed802-54bc-4cf0-899e-92fed27df5e1" + }, + { + "value": "Casee", + "description": "Casee is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3501-99" + ] + }, + "uuid": "f48a667a-a74d-4c04-80a2-a257cd8e29cc" + }, + { + "value": "Catchtoken", + "description": "Catchtoken is a Trojan horse for Android devices that intercepts SMS messages and opens a back door on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-121619-0548-99" + ] + }, + "uuid": "ec37c5db-0497-440b-a7bc-4e28dc5c95f4" + }, + { + "value": "Cauly", + "description": "Cauly is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3454-99" + ] + }, + "uuid": "b5db1360-91fc-4dc3-8520-d00f9f3601ce" + }, + { + "value": "Cellshark", + "description": "Cellshark is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111611-0914-99" + ] + }, + "uuid": "471e6971-ab43-4b59-917c-5cdd5b8fd531" + }, + { + "value": "Centero", + "description": "Centero is a Trojan horse for Android devices that displays advertisements on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-053006-2502-99" + ] + }, + "uuid": "a9595906-adcf-4a08-9f71-f2eb2199cb87" + }, + { + "value": "Chuli", + "description": "Chuli is a Trojan horse for Android devices that opens a back door and may steal information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-032617-1604-99" + ] + }, + "uuid": "f2f3e65a-5e46-45e9-aa23-addd841ba3c6" + }, + { + "value": "Citmo", + "description": "Citmo is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-5012-99" + ] + }, + "uuid": "e271a188-fc07-4f03-a047-d96ea64ee1e5" + }, + { + "value": "Claco", + "description": "Claco is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-020415-5600-99" + ] + }, + "uuid": "2a7c2aff-9e7f-4358-9196-477042fc2f5b" + }, + { + "value": "Clevernet", + "description": "Clevernet is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-5257-99" + ] + }, + "uuid": "76090f4b-eb03-42c0-90bb-9337d1a20d74" + }, + { + "value": "Cnappbox", + "description": "Cnappbox is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-1141-99" + ] + }, + "uuid": "d343483b-909c-490a-827e-3a2c9d6ad033" + }, + { + "value": "Cobblerone", + "description": "Cobblerone is a spyware application for Android devices that can track the phone's location and remotely erase the device.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111514-3846-99" + ] + }, + "uuid": "4863856a-9899-42a2-b02c-449aaa5a8258" + }, + { + "value": "Coolpaperleak", + "description": "Coolpaperleak is a Trojan horse for Android devices that steals information and sends it to a remote location. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080211-5757-99" + ] + }, + "uuid": "272b75a0-a77f-44eb-ba7f-b68804d3506d" + }, + { + "value": "Coolreaper", + "description": "Coolreaper is a Trojan horse for Android devices that opens a back door on the compromised device. It may also steal information and download potentially malicious files. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-011220-3211-99" + ] + }, + "uuid": "f2646118-fa1d-4e6a-9115-033ba1e05b21" + }, + { + "value": "Cosha", + "description": "Cosha is a spyware program for Android devices that monitors and sends certain information to a remote location.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-081712-5231-99" + ] + }, + "uuid": "045d0e45-ce4d-4b51-92c8-111013b3b972" + }, + { + "value": "Counterclank", + "description": "Counterclank is a Trojan horse for Android devices that steals information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99" + ] + }, + "uuid": "95b527d5-d90c-4c37-973f-1dc83da6511e" + }, + { + "value": "Crazymedia", + "description": "Crazymedia is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-2547-99" + ] + }, + "uuid": "a08d4206-92b7-4b0e-9267-24eb4acf737f" + }, + { + "value": "Crisis", + "description": "Crisis is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-071409-0636-99" + ] + }, + "uuid": "c17f6e4b-70c5-42f8-a91b-19d73485bd04" + }, + { + "value": "Crusewind", + "description": "Crusewind is a Trojan horse for Android devices that sends SMS messages to a premium-rate number. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99" + ] + }, + "uuid": "67c624e1-89a0-4581-9fa3-de4864a03aab" + }, + { + "value": "Dandro", + "description": "Dandro is a Trojan horse for Android devices that allows a remote attacker to gain control over the device and steal information from it. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-012916-2128-99" + ] + }, + "uuid": "a5bff39e-804e-4c62-b5fb-7a7e32069a7d" + }, + { + "value": "Daoyoudao", + "description": "Daoyoudao is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040214-5018-99" + ] + }, + "uuid": "939f5057-635a-46e7-b15a-fb301258d0f9" + }, + { + "value": "Deathring", + "description": "Deathring is a Trojan horse for Android devices that may perform malicious activities on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-121116-4547-99" + ] + }, + "uuid": "07ca0660-3391-4cb1-900c-a1ad38980b06" + }, + { + "value": "Deeveemap", + "description": "Deeveemap is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2017-060907-5221-99" + ] + }, + "uuid": "a23a5f71-affe-4f0e-aa8f-39a3967210ae" + }, + { + "value": "Dendoroid", + "description": "Dendoroid is a Trojan horse for Android devices that opens a back door, steals information, and may perform other malicious activities on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030418-2633-99" + ] + }, + "uuid": "f1a4a027-bb70-4279-9c59-c271ac264cbf" + }, + { + "value": "Dengaru", + "description": "Dengaru is a Trojan horse for Android devices that performs click-fraud from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-051113-4819-99" + ] + }, + "uuid": "2788d128-4c7a-4ed2-93c1-03125579251c" + }, + { + "value": "Diandong", + "description": "Diandong is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-2453-99" + ] + }, + "uuid": "4fc012cf-dbbf-4200-af95-879eb668eb66" + }, + { + "value": "Dianjin", + "description": "Dianjin is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-0313-99" + ] + }, + "uuid": "bb9ff44c-eb04-4df3-8e17-967f59fee4f5" + }, + { + "value": "Dogowar", + "description": "Dogowar is a Trojan horse on the Android platform that sends SMS texts to all contacts on the device. It is a repackaged version of a game application called Dog Wars, which can be downloaded from a third party market and must be manually installed. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-081510-4323-99" + ] + }, + "uuid": "397ed797-e2a9-423a-a485-e06b4633b37a" + }, + { + "value": "Domob", + "description": "Domob is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-4235-99" + ] + }, + "uuid": "e99fe1de-4f88-4c69-95bc-87df65dc73ca" + }, + { + "value": "Dougalek", + "description": "Dougalek is a Trojan horse for Android devices that steals information from the compromised device. The threat is typically disguised to display a video. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-041601-3400-99" + ] + }, + "uuid": "d06b78de-b9f1-474a-b243-c975bd55baed" + }, + { + "value": "Dowgin", + "description": "Dowgin is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-033108-4723-99" + ] + }, + "uuid": "8635a12e-4fa4-495e-b3c9-de4a01c1bc59" + }, + { + "value": "Droidsheep", + "description": "Droidsheep is a hacktool for Android devices that hijacks social networking accounts on compromised devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031014-3628-99" + ] + }, + "uuid": "0ac34775-2323-4866-a540-913043aec431" + }, + { + "value": "Dropdialer", + "description": "Dropdialer is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909-0726-99" + ] + }, + "uuid": "d3aeb67a-6247-4a90-b7c2-971ced9dc7ef" + }, + { + "value": "Dupvert", + "description": "Dupvert is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. It may also perform other malicious activities. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-072313-1959-99" + ] + }, + "uuid": "f8c910ed-6047-4628-a21a-2d5bf6895fd4" + }, + { + "value": "Dynamicit", + "description": "Dynamicit is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-1346-99" + ] + }, + "uuid": "e9df4254-31d9-45c3-80df-f6da15549ebb" + }, + { + "value": "Ecardgrabber", + "description": "Ecardgrabber is an application that attempts to read details from NFC enabled credit cards. It attempts to read information from NFC enabled credit cards that are in close proximity.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062215-0939-99" + ] + }, + "uuid": "70570b6a-7236-48cb-9b0d-e8495779f51d" + }, + { + "value": "Ecobatry", + "description": "Ecobatry is a Trojan horse for Android devices that steals information and sends it to a remote location. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080606-4102-99" + ] + }, + "uuid": "d8f4b1c3-7234-40ec-b944-8b22d2ba1fe7" + }, + { + "value": "Enesoluty", + "description": "Enesoluty is a Trojan horse for Android devices that steals information and sends it to a remote location. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-090607-0807-99" + ] + }, + "uuid": "6d5be115-6245-456b-929c-3077987e65d4" + }, + { + "value": "Everbadge", + "description": "Everbadge is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-3736-99" + ] + }, + "uuid": "36a6af63-035c-43ef-b534-0fe2f16462eb" + }, + { + "value": "Ewalls", + "description": "Ewalls is a Trojan horse for the Android operating system that steals information from the mobile device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2010-073014-0854-99" + ] + }, + "uuid": "ef424b45-fb8a-4e81-9b9e-5ebb8d9219ed" + }, + { + "value": "Exprespam", + "description": "Exprespam is a Trojan horse for Android devices that displays a fake message and steals personal information stored on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-010705-2324-99" + ] + }, + "uuid": "043ee6fa-37de-4a2d-a888-95febf8a243c" + }, + { + "value": "Fakealbums", + "description": "Fakealbums is a Trojan horse for Android devices that monitors and forwards received messages from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-071819-0636-99" + ] + }, + "uuid": "0399e18a-e047-4507-a66c-2503b00cd727" + }, + { + "value": "Fakeangry", + "description": "Fakeangry is a Trojan horse on the Android platform that opens a back door, downloads files, and steals potentially confidential information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022823-4233-99" + ] + }, + "uuid": "6032b79e-68e7-4a9f-b913-8cb62e7c28e8" + }, + { + "value": "Fakeapp", + "description": "Fakeapp is a Trojan horse for Android devices that downloads configuration files to display advertisements and collects information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022805-4318-99" + ] + }, + "uuid": "493c97f8-db6c-40ae-a06e-fa2a9d84d660" + }, + { + "value": "Fakebanco", + "description": "Fakebanco is a Trojan horse for Android devices that redirects users to a phishing page in order to steal their information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-112109-5329-99" + ] + }, + "uuid": "7714a6ee-3a75-42b2-ad4b-ec21da4259fd" + }, + { + "value": "Fakebank", + "description": "Fakebank is a Trojan horse that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-071813-2448-99" + ] + }, + "uuid": "4fba0b79-0be2-4471-9c1a-5a0295130ac2" + }, + { + "value": "Fakebank.B", + "description": "Fakebank.B is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-101114-5645-99" + ] + }, + "uuid": "fb3083ad-5342-4913-9d48-f3abaf613878" + }, + { + "value": "Fakebok", + "description": "Fakebok is a Trojan horse for Android devices that sends SMS messages to premium phone numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-021115-5153-99" + ] + }, + "uuid": "84318a88-5ed5-43e9-ae8d-143e7373a46d" + }, + { + "value": "Fakedaum", + "description": "Fakedaum is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99" + ] + }, + "uuid": "b91c1aaf-4a06-40ec-b4b9-59e9da882697" + }, + { + "value": "Fakedefender", + "description": "Fakedefender is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-060301-4418-99" + ] + }, + "uuid": "79a6bf32-d063-4b7c-a891-3dda49e31582" + }, + { + "value": "Fakedefender.B", + "description": "Fakedefender.B is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-091013-3953-99" + ] + }, + "uuid": "26f660c5-c04b-4bb2-8169-5dc2dfe1c835" + }, + { + "value": "Fakedown", + "description": "Fakedown is a Trojan horse for Android devices that downloads more malicious apps onto the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-041803-5918-99" + ] + }, + "uuid": "f43ef200-e9d8-4cca-bb63-ac3d70465fed" + }, + { + "value": "Fakeflash", + "description": "Fakeflash is a Trojan horse for Android devices that installs a fake Flash application in order to direct users to a website. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-070318-2122-99" + ] + }, + "uuid": "d2fe043a-8b6c-4aa2-8527-c51b7b44f9df" + }, + { + "value": "Fakegame", + "description": "Fakegame is a Trojan horse for Android devices that displays advertisements and steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-040808-2922-99" + ] + }, + "uuid": "250a3e30-2025-486d-98fe-2fe1cf817451" + }, + { + "value": "Fakeguard", + "description": "Fakeguard is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-102908-3526-99" + ] + }, + "uuid": "2c5798aa-e68c-4158-ba04-1db39512451f" + }, + { + "value": "Fakejob", + "description": "Fakejob is a Trojan horse for Android devices that redirects users to scam websites. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030721-3048-99" + ] + }, + "uuid": "ba8bf35c-187f-4acb-8b44-5ee288535679" + }, + { + "value": "Fakekakao", + "description": "Fakekakao is a Trojan horse for Android devices sends SMS messages to contacts stored on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-071617-2031-99" + ] + }, + "uuid": "f0915277-0156-4832-b282-4447f4d06449" + }, + { + "value": "Fakelemon", + "description": "Fakelemon is a Trojan horse for Android devices that blocks certain SMS messages and may subscribe to services without the user's consent. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-120609-3608-99" + ] + }, + "uuid": "398bd8d6-a7ee-4f51-a8ff-96d8b4ae93a5" + }, + { + "value": "Fakelicense", + "description": "Fakelicense is a Trojan horse that displays advertisements on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-062709-1437-99" + ] + }, + "uuid": "21e5a963-ad8a-479b-b33e-35deb75f846d" + }, + { + "value": "Fakelogin", + "description": "Fakelogin is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-102108-5457-99" + ] + }, + "uuid": "6bd49caa-59a2-4abf-86ea-7a2ebc7ed324" + }, + { + "value": "FakeLookout", + "description": "FakeLookout is a Trojan horse for Android devices that opens a back door and steals information on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-101919-2128-99" + ] + }, + "uuid": "caffc461-7415-4017-82bf-195df5d7791f" + }, + { + "value": "FakeMart", + "description": "FakeMart is a Trojan horse for Android devices that may send SMS messages to premium rate numbers. It may also block incoming messages and steal information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99" + ] + }, + "uuid": "6816561e-203f-4f6c-b85b-e4f51148e9e7" + }, + { + "value": "Fakemini", + "description": "Fakemini is a Trojan horse for Android devices that disguises itself as an installation for the Opera Mini browser and sends premium-rate SMS messages to a predetermined number. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-110410-5958-99" + ] + }, + "uuid": "b40b23aa-5b2a-46bf-94ab-0bd0f9a896c9" + }, + { + "value": "Fakemrat", + "description": "Fakemrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99" + ] + }, + "uuid": "b61b0ca5-fd3c-4e65-af3f-7d4e9bc75e62" + }, + { + "value": "Fakeneflic", + "description": "Fakeneflic is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99" + ] + }, + "uuid": "58113e57-f6df-45f0-a058-b08a892c3903" + }, + { + "value": "Fakenotify", + "description": "Fakenotify is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers, collects and sends information, and periodically displays Web pages. It also downloads legitimate apps onto the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-011302-3052-99" + ] + }, + "uuid": "9dbfc63d-2b0d-406d-95cf-f87494bd588a" + }, + { + "value": "Fakepatch", + "description": "Fakepatch is a Trojan horse for Android devices that downloads more files on to the device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062811-2820-99" + ] + }, + "uuid": "981938f8-7820-4b15-ab96-f4923280253c" + }, + { + "value": "Fakeplay", + "description": "Fakeplay is a Trojan horse for Android devices that steals information from the compromised device and sends it to a predetermined email address. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-100917-3825-99" + ] + }, + "uuid": "4ac0574f-8faa-463f-a493-b245f2c76d2c" + }, + { + "value": "Fakescarav", + "description": "Fakescarav is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to pay in order to remove non-existent malware or security risks from the device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-012809-1901-99" + ] + }, + "uuid": "d52ff282-7b5c-427d-bc79-fbd686fb9ba3" + }, + { + "value": "Fakesecsuit", + "description": "Fakesecsuit is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-060514-1301-99" + ] + }, + "uuid": "c23a04d3-5c38-4edc-b082-84c8997405ab" + }, + { + "value": "Fakesucon", + "description": "Fakesucon is a Trojan horse program for Android devices that sends SMS messages to premium-rate phone numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-120915-2524-99" + ] + }, + "uuid": "942a4a67-875a-4273-845f-3d6845738283" + }, + { + "value": "Faketaobao", + "description": "Faketaobao is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99" + ] + }, + "uuid": "ee83a04a-5ce2-41f9-b232-c274c25acd7e" + }, + { + "value": "Faketaobao.B", + "description": "Faketaobao.B is a Trojan horse for Android devices that intercepts and and sends incoming SMS messages to a remote attacker. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-012106-4013-99" + ] + }, + "uuid": "2d4899d5-d566-4058-b216-a5c37f601417" + }, + { + "value": "Faketoken", + "description": "Faketoken is a Trojan horse that opens a back door on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-032211-2048-99", + "http://bgr.com/2017/08/18/android-malware-faketoken-steal-credit-card-info/" + ] + }, + "uuid": "25feca2d-6867-4390-9d60-100b47d9d81a" + }, + { + "value": "Fakeupdate", + "description": "Fakeupdate is a Trojan horse for Android devices that downloads other applications onto the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-081914-5637-99" + ] + }, + "uuid": "e3eab046-a427-4132-99e7-f69598abcfd4" + }, + { + "value": "Fakevoice", + "description": "Fakevoice is a Trojan horse for Android devices that dials a premium-rate phone number. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-040510-3249-99" + ] + }, + "uuid": "aab42c7b-fe4e-483c-9db5-146f449c0937" + }, + { + "value": "Farmbaby", + "description": "Farmbaby is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-090715-3641-99" + ] + }, + "uuid": "97973daa-ece5-46ef-ac5b-a6ead8bddb97" + }, + { + "value": "Fauxtocopy", + "description": "Fauxtocopy is a spyware application for Android devices that gathers photos from the device and sends them to a predetermined email address.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111515-3940-99" + ] + }, + "uuid": "1b316569-88c5-4f5a-874c-b3eb7f5a229d" + }, + { + "value": "Feiwo", + "description": "Feiwo is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-4038-99" + ] + }, + "uuid": "0e5a7148-d5ab-4428-bbec-55780a4fcdad" + }, + { + "value": "FindAndCall", + "description": "FindAndCall is a Potentially Unwanted Application for Android devices that may leak information.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-2906-99" + ] + }, + "uuid": "d49baeba-0982-4815-a30a-c6520424a44d" + }, + { + "value": "Finfish", + "description": "Finfish is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-083016-0032-99" + ] + }, + "uuid": "b17a7d6f-8a48-408d-9362-3be6fab1d464" + }, + { + "value": "Fireleaker", + "description": "Fireleaker is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-5207-99" + ] + }, + "uuid": "c8202616-804d-48c6-b104-466b3584f511" + }, + { + "value": "Fitikser", + "description": "Fitikser is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-093015-2830-99" + ] + }, + "uuid": "10ac6220-2f49-4b25-9024-15f83f18033e" + }, + { + "value": "Flexispy", + "description": "Flexispy is a Spyware application for Android devices that logs the device's activity and sends it to a predetermined website. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-122006-4805-99" + ] + }, + "uuid": "a24e855e-cd0c-4abd-b2d8-0eaec87bcae5" + }, + { + "value": "Fokonge", + "description": "Fokonge is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071802-0727-99" + ] + }, + "uuid": "819bf929-01f0-447e-994c-e0e2f5a145c9" + }, + { + "value": "FoncySMS", + "description": "FoncySMS is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. It may also connect to an IRC server and execute any received shell commands. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-011502-2651-99" + ] + }, + "uuid": "917270d8-d7f3-432a-8c5c-28e7ea842f3e" + }, + { + "value": "Frogonal", + "description": "Frogonal is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062205-2312-99" + ] + }, + "uuid": "c0c69286-1448-4a37-b047-7518d45a0b80" + }, + { + "value": "Ftad", + "description": "Ftad is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040114-2020-99" + ] + }, + "uuid": "4295a452-f24d-4a95-be3c-dc5f17606669" + }, + { + "value": "Funtasy", + "description": "Funtasy is a Trojan horse for Android devices that subscribes the user to premium SMS services. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-092519-5811-99" + ] + }, + "uuid": "8e11e4fa-e8d5-485d-8ee8-61bf52bcde27" + }, + { + "value": "GallMe", + "description": "GallMe is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1336-99" + ] + }, + "uuid": "2086ef12-5578-496c-b140-433836b643ef" + }, + { + "value": "Gamex", + "description": "Gamex is a Trojan horse for Android devices that downloads further threats. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051015-1808-99" + ] + }, + "uuid": "fb63ab80-c198-48a8-a2f3-5fee516d8277" + }, + { + "value": "Gappusin", + "description": "Gappusin is a Trojan horse for Android devices that downloads applications and disguises them as system updates. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022007-2013-99" + ] + }, + "uuid": "65a95075-b79d-42ea-8a62-8390994fbed4" + }, + { + "value": "Gazon", + "description": "Gazon is a worm for Android devices that spreads through SMS messages. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-030320-1436-99" + ] + }, + "uuid": "77ea250b-d8aa-4477-8c74-93af056d8eee" + }, + { + "value": "Geinimi", + "description": "Geinimi is a Trojan that opens a back door and transmits information from the device to a remote location. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-010111-5403-99" + ] + }, + "uuid": "da751d6f-779e-4d87-99ad-9393cb72607d" + }, + { + "value": "Generisk", + "description": "Generisk is a generic detection for Android applications that may pose a privacy, security, or stability risk to the user or user's Android device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-062622-1559-99" + ] + }, + "uuid": "1f8573ad-c3ff-4268-83a5-c0a71f7b7944" + }, + { + "value": "Genheur", + "description": "Genheur is a generic detection for many individual but varied Trojans for Android devices for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-0848-99" + ] + }, + "uuid": "5bcc7083-006b-428a-8952-aa34354e011e" + }, + { + "value": "Genpush", + "description": "Genpush is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-033109-0426-99" + ] + }, + "uuid": "1854c808-f818-416c-961a-ba582bf5f27c" + }, + { + "value": "GeoFake", + "description": "GeoFake is a Trojan horse for Android devices that sends SMS messages to premium-rate numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-040217-3232-99" + ] + }, + "uuid": "4fa4e576-369a-4211-a1ea-4896aacfe4a7" + }, + { + "value": "Geplook", + "description": "Geplook is a Trojan horse for Android devices that downloads additional apps onto the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-121814-0917-99" + ] + }, + "uuid": "ead163e7-c5b5-486f-b27d-629b26f6abdc" + }, + { + "value": "Getadpush", + "description": "Getadpush is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-0957-99" + ] + }, + "uuid": "f41a08e2-5fc4-48ca-9cbc-9c7f0bce9b1f" + }, + { + "value": "Ggtracker", + "description": "Ggtracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate number. It may also steal information from the device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-062208-5013-99" + ] + }, + "uuid": "d4aed5c2-4011-4b62-80c1-8cdc6e5b2fc5" + }, + { + "value": "Ghostpush", + "description": "Ghostpush is a Trojan horse for Android devices that roots the compromised device. It may then perform malicious activities on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-100215-3718-99" + ] + }, + "uuid": "9423457b-4660-4d27-916f-b6fd39628e17" + }, + { + "value": "Gmaster", + "description": "Gmaster is a Trojan horse on the Android platform that steals potentially confidential information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99" + ] + }, + "uuid": "92955169-4734-47d5-adfe-e01003dc0768" + }, + { + "value": "Godwon", + "description": "Godwon is a Trojan horse for Android devices that steals information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-091017-1833-99" + ] + }, + "uuid": "3787e5cf-49af-4105-a775-241c40aec377" + }, + { + "value": "Golddream", + "description": "Golddream is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-070608-4139-99" + ] + }, + "uuid": "fa2fe25b-247a-4675-ab85-a040200ff9a7" + }, + { + "value": "Goldeneagle", + "description": "Goldeneagle is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-090110-3712-99" + ] + }, + "uuid": "c0836a8b-b104-42e5-ba0c-261ae2f65c50" + }, + { + "value": "Golocker", + "description": "Golocker is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062003-3214-99" + ] + }, + "uuid": "28171041-ed65-4545-9e21-e6f925fd1688" + }, + { + "value": "Gomal", + "description": "Gomal is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-101312-1047-99" + ] + }, + "uuid": "666b5326-8552-481a-85ee-37cea031de9d" + }, + { + "value": "Gonesixty", + "description": "Gonesixty is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99" + ] + }, + "uuid": "b153de8e-1096-4ff3-8c00-0dffe77574eb" + }, + { + "value": "Gonfu", + "description": "Gonfu is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-060610-3953-99" + ] + }, + "uuid": "b10ae730-e9d8-42f7-8970-77fde44733c2" + }, + { + "value": "Gonfu.B", + "description": "Gonfu.B is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-030811-5215-99" + ] + }, + "uuid": "0caf0b55-e4ee-4971-86f0-8968ecbec5cf" + }, + { + "value": "Gonfu.C", + "description": "Gonfu.C is a Trojan horse for Android devices that may download additional threats on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031817-3639-99" + ] + }, + "uuid": "faf9c1dc-4efd-4e16-abf9-135839126b58" + }, + { + "value": "Gonfu.D", + "description": "Gonfu.D is a Trojan horse that opens a back door on Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-040414-1158-99" + ] + }, + "uuid": "7ee57b0f-fc7c-424a-b3c7-e1a5a028ed8e" + }, + { + "value": "Gooboot", + "description": "Gooboot is a Trojan horse for Android devices that may send text messages to premium rate numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031818-3034-99" + ] + }, + "uuid": "dedde091-a167-42bd-b47c-710381a5fc4f" + }, + { + "value": "Goodadpush", + "description": "Goodadpush is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0913-99" + ] + }, + "uuid": "24d9abb7-67e6-4cd5-8f34-6fae58293134" + }, + { + "value": "Greystripe", + "description": "Greystripe is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-2643-99" + ] + }, + "uuid": "4e9b59a3-1b0b-4c94-bac2-22a9730cc1a0" + }, + { + "value": "Gugespy", + "description": "Gugespy is a spyware program for Android devices that logs the device's activity and sends it to a predetermined email address.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071822-2515-99" + ] + }, + "uuid": "1d9c433a-9b8c-4ad7-b4b3-5a29137aca3b" + }, + { + "value": "Gugespy.B", + "description": "Gugespy.B is a spyware program for Android devices that monitors and sends certain information to a remote location.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-070511-5038-99" + ] + }, + "uuid": "3869692a-e24c-44ad-8f46-a0bd38c5bc5e" + }, + { + "value": "Gupno", + "description": "Gupno is a Trojan horse for Android devices that poses as a legitimate app and attempts to charge users for features that are normally free. It may also display advertisements on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-072211-5533-99" + ] + }, + "uuid": "2434d65f-7a96-4cf3-b3c7-d93d70be8907" + }, + { + "value": "Habey", + "description": "Habey is a Trojan horse for Android devices that may attempt to delete files and send SMS messages from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-100608-4512-99" + ] + }, + "uuid": "15109175-300b-42b1-bc59-2ad305cb2338" + }, + { + "value": "Handyclient", + "description": "Handyclient is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5027-99" + ] + }, + "uuid": "dc37a1f9-dec0-4ea0-94c6-450b26272e3d" + }, + { + "value": "Hehe", + "description": "Hehe is a Trojan horse for Android devices that blocks incoming calls and SMS messages from specific numbers. The Trojan also steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-012211-0020-99" + ] + }, + "uuid": "c9538896-1dd4-4d87-b89c-a0a019996b27" + }, + { + "value": "Hesperbot", + "description": "Hesperbot is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-121010-1120-99" + ] + }, + "uuid": "a642266c-b729-4009-8bd5-9cb06857cda7" + }, + { + "value": "Hippo", + "description": "Hippo is a Trojan horse that sends SMS messages to premium-rate phone numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071215-3547-99" + ] + }, + "uuid": "bdf5533f-f05d-44cf-ad0c-c1db9689961f" + }, + { + "value": "Hippo.B", + "description": "Hippo.B is a Trojan horse that sends SMS messages to premium-rate phone numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031915-0151-99" + ] + }, + "uuid": "04d2d441-1a18-4921-96f1-56fc938e01ea" + }, + { + "value": "IadPush", + "description": "IadPush is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4104-99" + ] + }, + "uuid": "d8dd9f88-4acf-4bbf-886b-6c48f2463109" + }, + { + "value": "iBanking", + "description": "iBanking is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030713-0559-99" + ] + }, + "uuid": "531f750f-fe86-4548-a2e5-540fda864860" + }, + { + "value": "Iconosis", + "description": "Iconosis is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062107-3327-99" + ] + }, + "uuid": "71e19f13-ef09-44f2-a71b-ef39b2f02dbf" + }, + { + "value": "Iconosys", + "description": "Iconosys is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-081309-0341-99" + ] + }, + "uuid": "84480513-a52a-4de2-9869-1c886a6e8365" + }, + { + "value": "Igexin", + "description": "Igexin is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-032606-5519-99" + ] + }, + "uuid": "52c5f9b3-e9ed-4c86-b4a8-d4ebc68a4d7b" + }, + { + "value": "ImAdPush", + "description": "ImAdPush is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040323-0218-99" + ] + }, + "uuid": "847d6c0e-d92e-4466-91b8-6fe2718c6031" + }, + { + "value": "InMobi", + "description": "InMobi is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-1527-99" + ] + }, + "uuid": "65e35c22-4a55-44ad-bd09-43f8a18d7e93" + }, + { + "value": "Jifake", + "description": "Jifake is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-073021-4247-99" + ] + }, + "uuid": "d32149d8-a20c-40eb-b486-7c3b3369bb9a" + }, + { + "value": "Jollyserv", + "description": "Jollyserv is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-090311-4533-99" + ] + }, + "uuid": "ee7faba5-6d35-49ff-af50-1ded1e42cc0b" + }, + { + "value": "Jsmshider", + "description": "Jsmshider is a Trojan horse that opens a back door on Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-062114-0857-99" + ] + }, + "uuid": "5390586b-a224-4006-ab43-73ecdebe7892" + }, + { + "value": "Ju6", + "description": "Ju6 is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2428-99" + ] + }, + "uuid": "7886d5bb-8318-427a-a5df-9dc2122d8f05" + }, + { + "value": "Jumptap", + "description": "Jumptap is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0859-99" + ] + }, + "uuid": "ab353e23-22ef-44a8-80de-fe0ae609e571" + }, + { + "value": "Jzmob", + "description": "Jzmob is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-1703-99" + ] + }, + "uuid": "941608bc-1fd5-473a-b4f7-a7f9763a4276" + }, + { + "value": "Kabstamper", + "description": "Kabstamper is a Trojan horse for Android devices that corrupts images found on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-060706-2305-99" + ] + }, + "uuid": "ff8e4fe3-12b3-4c3b-959e-82971821d8e9" + }, + { + "value": "Kidlogger", + "description": "Kidlogger is a Spyware application for Android devices that logs the device's activity and sends it to a predetermined website.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-122014-1927-99" + ] + }, + "uuid": "89c13c33-8ec2-4bbe-9867-02ac9f0a7dad" + }, + { + "value": "Kielog", + "description": "Kielog is a Trojan horse for Android devices that logs keystrokes and sends the stolen information to the remote attacker. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-040205-4035-99" + ] + }, + "uuid": "324a5388-63f9-4ba8-aa5f-6a803be5e903" + }, + { + "value": "Kituri", + "description": "Kituri is a Trojan horse for Android devices that blocks certain SMS messages from being received by the device. It may also send SMS messages to a premium-rate number. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061111-5350-99" + ] + }, + "uuid": "d1c6c267-4c59-4cf9-a540-13d38b20d360" + }, + { + "value": "Kranxpay", + "description": "Kranxpay is a Trojan horse for Android devices that downloads other apps onto the device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071009-0809-99" + ] + }, + "uuid": "67f27518-6ec3-4723-8b4d-34d91a4d3a3e" + }, + { + "value": "Krysanec", + "description": "Krysanec is a Trojan horse for Android devices that opens a back door on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-090113-4128-99" + ] + }, + "uuid": "736ebf9f-1868-45ea-94a5-d389f2d11588" + }, + { + "value": "Kuaidian360", + "description": "Kuaidian360 is an advertisement library that is bundled with certain Android applications. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040109-2415-99" + ] + }, + "uuid": "0ec6ad4a-77ce-4c68-a349-1973bdc328f6" + }, + { + "value": "Kuguo", + "description": "Kuguo is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-5215-99" + ] + }, + "uuid": "9fa68491-57fc-4d85-a063-0b822286c25f" + }, + { + "value": "Lastacloud", + "description": "Lastacloud is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-121216-4334-99" + ] + }, + "uuid": "3bbf47e9-57b1-4bd1-9dc3-34d59e203771" + }, + { + "value": "Laucassspy", + "description": "Laucassspy is a spyware program for Android devices that steals information and sends it to a remote location.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-092409-1822-99" + ] + }, + "uuid": "3b3956a8-a1cb-4839-8731-08295c2b88d6" + }, + { + "value": "Lifemonspy", + "description": "Lifemonspy is a spyware application for Android devices that can track the phone's location, download SMS messages, and erase certain data from the device.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-5540-99" + ] + }, + "uuid": "063abe8e-3688-48af-848e-132d636b4ecc" + }, + { + "value": "Lightdd", + "description": "Lightdd is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-053114-2342-99" + ] + }, + "uuid": "47aec378-9c9c-432c-9cd5-ddaa7942c6f4" + }, + { + "value": "Loaderpush", + "description": "Loaderpush is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0244-99" + ] + }, + "uuid": "5b137010-c01c-4811-b93f-e1de1c986563" + }, + { + "value": "Locaspy", + "description": "Locaspy is a Potentially Unwanted Application for Android devices that tracks the location of the compromised device.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030720-3500-99" + ] + }, + "uuid": "75e2f27a-cdeb-4768-808e-469d99a581d1" + }, + { + "value": "Lockdroid.E", + "description": "Lockdroid.E is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-103005-2209-99" + ] + }, + "uuid": "04fc65b7-47a1-4eac-b485-ea8a6933613c" + }, + { + "value": "Lockdroid.F", + "description": "Lockdroid.F is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-102215-4346-99" + ] + }, + "uuid": "a98bb328-2a25-4733-b1d2-688abf25784d" + }, + { + "value": "Lockdroid.G", + "description": "Lockdroid.G is a Trojan horse for Android devices that may display a ransom demand on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-050610-2450-99" + ] + }, + "uuid": "0e4f2334-889f-4438-bdfb-b4287397fc43" + }, + { + "value": "Lockdroid.H", + "description": "Lockdroid.H is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2016-031621-1349-99" + ] + }, + "uuid": "f453d127-48ae-4422-9e79-fb138f26de83" + }, + { + "value": "Lockscreen", + "description": "Lockscreen is a Trojan horse for Android devices that locks the compromised device from use. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-032409-0743-99" + ] + }, + "uuid": "370237dc-95f4-47a0-9985-2ec8151f7e3a" + }, + { + "value": "LogiaAd", + "description": "LogiaAd is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0348-99" + ] + }, + "uuid": "8a065cda-da87-46b6-960a-2bcc74e92fd1" + }, + { + "value": "Loicdos", + "description": "Loicdos is an Android application that provides an interface to a website in order to perform a denial of service (DoS) attack against a computer. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022002-2431-99" + ] + }, + "uuid": "32ec05c2-a360-49b1-8863-166fd0011460" + }, + { + "value": "Loozfon", + "description": "Loozfon is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-082005-5451-99" + ] + }, + "uuid": "983458be-99a4-460a-be5d-c8b284468a61" + }, + { + "value": "Lotoor", + "description": "Lotoor is a generic detection for hack tools that exploit vulnerabilities in order to gain root privileges on compromised Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-091922-4449-99" + ] + }, + "uuid": "f459ff4a-3015-458f-8402-9981b6164f17" + }, + { + "value": "Lovespy", + "description": "Lovespy is a Trojan horse for Android devices that steals information from the device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071814-3805-99" + ] + }, + "uuid": "508ab8e3-c950-4adf-b87a-90f86423fa4d" + }, + { + "value": "Lovetrap", + "description": "Lovetrap is a Trojan horse that sends SMS messages to premium-rate phone numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99" + ] + }, + "uuid": "ab2b8596-4304-4682-a324-6a9ddd9a9c31" + }, + { + "value": "Luckycat", + "description": "Luckycat is a Trojan horse for Android devices that opens a back door and steals information on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080617-5343-99" + ] + }, + "uuid": "5429dd64-74f5-4370-85f0-2654c067dfc5" + }, + { + "value": "Machinleak", + "description": "Machinleak is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-120311-2440-99" + ] + }, + "uuid": "68c21410-a32c-4151-9e3e-bd3070937bfd" + }, + { + "value": "Maistealer", + "description": "Maistealer is a Trojan that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-072411-4350-99" + ] + }, + "uuid": "88521447-177a-4024-b336-0a065e6d7f16" + }, + { + "value": "Malapp", + "description": "Malapp is a generic detection for many individual but varied threats on Android devices that share similar characteristics. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-073014-3354-99" + ] + }, + "uuid": "4b2483e7-acc2-4eec-bd7f-a8ac45e403b4" + }, + { + "value": "Malebook", + "description": "Malebook is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071206-3403-99" + ] + }, + "uuid": "93177c2f-79fa-4b3e-8312-994306bac870" + }, + { + "value": "Malhome", + "description": "Malhome is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071118-0441-99" + ] + }, + "uuid": "6178421f-b4d9-4307-b9ac-f75139651adf" + }, + { + "value": "Malminer", + "description": "Malminer is a Trojan horse for Android devices that mines cryptocurrencies on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032712-3709-99" + ] + }, + "uuid": "1e7e1c16-f241-41ea-ab12-f3c3f72f0931" + }, + { + "value": "Mania", + "description": "Mania is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-070623-1520-99" + ] + }, + "uuid": "dd97858e-001b-4ac4-9947-fcfdf24e12f7" + }, + { + "value": "Maxit", + "description": "Maxit is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals certain information and uploads it to a remote location. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-120411-2511-99" + ] + }, + "uuid": "0687203f-8f57-4de3-86f5-ceb3f151151c" + }, + { + "value": "MdotM", + "description": "MdotM is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5824-99" + ] + }, + "uuid": "aa94146b-6901-4c6c-8669-d64b4eb70594" + }, + { + "value": "Medialets", + "description": "Medialets is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5222-99" + ] + }, + "uuid": "3bd73087-fdf8-426a-84b9-50f308a05c53" + }, + { + "value": "Meshidden", + "description": "Meshidden is a spyware application for Android devices that allows the device it is installed on to be monitored.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031913-5257-99" + ] + }, + "uuid": "35ec0f9f-4516-45ed-b101-6829bd99ce86" + }, + { + "value": "Mesploit", + "description": "Mesploit is a tool for Android devices used to create applications that exploit the Android Fake ID vulnerability.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-032014-2847-99" + ] + }, + "uuid": "bed7e358-3b69-4944-898f-aabf32e1af3d" + }, + { + "value": "Mesprank", + "description": "Mesprank is a Trojan horse for Android devices that opens a back door on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030717-1933-99" + ] + }, + "uuid": "989b1801-a3a9-4671-b161-d7b07cbbae32" + }, + { + "value": "Meswatcherbox", + "description": "Meswatcherbox is a spyware application for Android devices that forwards SMS messages without the user knowing.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-2736-99" + ] + }, + "uuid": "d4a7f045-7e1c-4467-8eb7-7dc3ce3c04dd" + }, + { + "value": "Miji", + "description": "Miji is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4720-99" + ] + }, + "uuid": "c5fa5347-0338-43f1-813b-b11ce13a44e5" + }, + { + "value": "Milipnot", + "description": "Milipnot is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-070414-0941-99" + ] + }, + "uuid": "44ab46dd-7027-4f66-a716-d59db5cf5e73" + }, + { + "value": "MillennialMedia", + "description": "MillennialMedia is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4602-99" + ] + }, + "uuid": "549a3d4e-d8f8-48b5-9b4b-659646640f85" + }, + { + "value": "Mitcad", + "description": "Mitcad is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040212-0528-99" + ] + }, + "uuid": "03d069bd-53f5-4d62-82af-2461b8b501f7" + }, + { + "value": "MobClix", + "description": "MobClix is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4011-99" + ] + }, + "uuid": "9688b924-811f-4315-ba42-2ee1e9e52b55" + }, + { + "value": "MobFox", + "description": "MobFox is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-3050-99" + ] + }, + "uuid": "ee248082-86b3-48ce-9500-47ccd471edec" + }, + { + "value": "Mobidisplay", + "description": "Mobidisplay is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-0435-99" + ] + }, + "uuid": "d2a7cd95-3a32-4da4-97fb-a0982c2eaf60" + }, + { + "value": "Mobigapp", + "description": "Mobigapp is a Trojan horse for Android devices that downloads applications disguised as system updates. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062520-5802-99" + ] + }, + "uuid": "f35969cc-13d8-46cf-a4cc-ff2f15844205" + }, + { + "value": "MobileBackup", + "description": "MobileBackup is a spyware application for Android devices that monitors the affected device.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-0040-99" + ] + }, + "uuid": "caea6805-dad0-44b7-a0f2-3f41c227698c" + }, + { + "value": "Mobilespy", + "description": "Mobilespy is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071512-0653-99" + ] + }, + "uuid": "a6acb97a-359a-4fdc-9f27-2190dbe66c02" + }, + { + "value": "Mobiletx", + "description": "Mobiletx is a Trojan horse for Android devices that steals information from the compromised device. It may also send SMS messages to a premium-rate number. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-052807-4439-99" + ] + }, + "uuid": "3752d35b-0cbf-41ee-a057-6252342d94a7" + }, + { + "value": "Mobinaspy", + "description": "Mobinaspy is a spyware application for Android devices that can track the device's location.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-0511-99" + ] + }, + "uuid": "dda43d3d-5852-4957-834a-a711bbfa3e4a" + }, + { + "value": "Mobus", + "description": "Mobus is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2006-99" + ] + }, + "uuid": "95272c25-5df1-47ef-af3d-88e7b7492d45" + }, + { + "value": "MobWin", + "description": "MobWin is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1522-99" + ] + }, + "uuid": "960804ae-0c6a-42de-9f0c-2b20a56c2c32" + }, + { + "value": "Mocore", + "description": "Mocore is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-092112-4603-99" + ] + }, + "uuid": "be1c2349-1864-4164-905b-cd971454448d" + }, + { + "value": "Moghava", + "description": "Moghava is a Trojan horse for Android devices that modifies images that are stored on the device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022712-2822-99" + ] + }, + "uuid": "671a2ca3-fa4f-4bfb-95d0-ac9c2479edff" + }, + { + "value": "Momark", + "description": "Momark is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-5529-99" + ] + }, + "uuid": "f68ccede-1c5a-4d27-8d5f-2e68ebbbfcd7" + }, + { + "value": "Monitorello", + "description": "Monitorello is a spyware application for Android devices that allows the device it is installed on to be monitored.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-4737-99" + ] + }, + "uuid": "5b89b17f-d569-4c7d-9990-c8054d506e02" + }, + { + "value": "Moolah", + "description": "Moolah is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1007-99" + ] + }, + "uuid": "c630be3f-709c-42e7-8523-905ca6896066" + }, + { + "value": "MoPub", + "description": "MoPub is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-2456-99" + ] + }, + "uuid": "1243bbc1-32a5-4034-a68b-fe67472469af" + }, + { + "value": "Morepaks", + "description": "Morepaks is a Trojan horse for Android devices that downloads remote files and may display advertisements on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071204-1130-99" + ] + }, + "uuid": "20ca85ec-bb04-47b1-9179-aa3871724cc4" + }, + { + "value": "Nandrobox", + "description": "Nandrobox is a Trojan horse for Android devices that steals information from the compromised device. It also deletes certain SMS messages from the device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-070212-2132-99" + ] + }, + "uuid": "32ebe3f6-4a19-4e95-b06b-18663f4f0b43" + }, + { + "value": "Netisend", + "description": "Netisend is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-080207-1139-99" + ] + }, + "uuid": "deef380d-8e63-4669-9f5b-0cbf50c57070" + }, + { + "value": "Nickispy", + "description": "Nickispy is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-072714-3613-99" + ] + }, + "uuid": "7bdcf5c4-4c1d-4f37-8811-58f60c07dc51" + }, + { + "value": "Notcompatible", + "description": "Notcompatible is a Trojan horse for Android devices that acts as a proxy. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-050307-2712-99" + ] + }, + "uuid": "c18d1cdc-855a-47b0-93f6-9d8795c9121d" + }, + { + "value": "Nuhaz", + "description": "Nuhaz is a Trojan horse for Android devices that may intercept text messages on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-3416-99" + ] + }, + "uuid": "ea8ff12e-fdd1-425d-bb4e-39374040b290" + }, + { + "value": "Nyearleaker", + "description": "Nyearleaker is a Trojan horse program for Android devices that steals information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-010514-0844-99" + ] + }, + "uuid": "08381c6b-5c92-4e14-8ad5-52954b101907" + }, + { + "value": "Obad", + "description": "Obad is a Trojan horse for Android devices that opens a back door, steals information, and downloads files. It also sends SMS messages to premium-rate numbers and spreads malware to Bluetooth-enabled devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99" + ] + }, + "uuid": "f59181e2-6214-4ff7-842e-916d124b3535" + }, + { + "value": "Oneclickfraud", + "description": "Oneclickfraud is a Trojan horse for Android devices that attempts to coerce a user into paying for a pornographic service. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-011205-4412-99" + ] + }, + "uuid": "99ebc7b4-dbba-4c1c-a991-3c75d69007f6" + }, + { + "value": "Opfake", + "description": "Opfake is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99" + ] + }, + "uuid": "9017bea0-d29e-4a2d-bda5-03ca6d0c7bc0" + }, + { + "value": "Opfake.B", + "description": "Opfake.B is a Trojan horse for the Android platform that may receive commands from a remote attacker to perform various functions. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022406-1309-99" + ] + }, + "uuid": "40115080-242e-4278-97b6-77171aa6ec47" + }, + { + "value": "Ozotshielder", + "description": "Ozotshielder is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-091505-3230-99" + ] + }, + "uuid": "b6e17717-a860-412b-a223-8fb0a7f5fe26" + }, + { + "value": "Pafloat", + "description": "Pafloat is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-2015-99" + ] + }, + "uuid": "4fa40665-8a2a-4b01-bda7-5860497a46cc" + }, + { + "value": "PandaAds", + "description": "PandaAds is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1959-99" + ] + }, + "uuid": "fd4d373a-dc7a-4ed0-8880-3f4d46ab4541" + }, + { + "value": "Pandbot", + "description": "Pandbot is a Trojan horse for Android devices that may download more files onto the device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071215-1454-99" + ] + }, + "uuid": "aaa14125-c4eb-49b1-a397-6eb23e9ca8bf" + }, + { + "value": "Pdaspy", + "description": "Pdaspy is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-0749-99" + ] + }, + "uuid": "d206b674-2c8b-4165-955f-c7b3747f881e" + }, + { + "value": "Penetho", + "description": "Penetho is a hacktool for Android devices that can be used to crack the WiFi password of the router that the device is using.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-100110-3614-99" + ] + }, + "uuid": "a032b966-7274-4963-82e3-4d6ea805db91" + }, + { + "value": "Perkel", + "description": "Perkel is a Trojan horse for Android devices that may steal information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-082811-4213-99" + ] + }, + "uuid": "c076d45a-d4f8-4e6b-9f69-71687b5670f7" + }, + { + "value": "Phimdropper", + "description": "Phimdropper is a Trojan horse for Android devices that sends and intercepts incoming SMS messages. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-021002-2943-99" + ] + }, + "uuid": "12801a82-add4-48f4-957a-5e7b09f2d0e3" + }, + { + "value": "Phospy", + "description": "Phospy is a Trojan horse for Android devices that steals confidential information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99" + ] + }, + "uuid": "058809da-b25d-429b-8773-e2b2f820d5ef" + }, + { + "value": "Piddialer", + "description": "Piddialer is a Trojan horse for Android devices that dials premium-rate numbers from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-2247-99" + ] + }, + "uuid": "c561faeb-2b49-413c-90fa-879fed864e76" + }, + { + "value": "Pikspam", + "description": "Pikspam is a Trojan horse for Android devices that sends spam SMS messages from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-121815-0336-99" + ] + }, + "uuid": "da914e7e-8cd2-49d2-9e6c-ce7f5174f3e1" + }, + { + "value": "Pincer", + "description": "Pincer is a Trojan horse for Android devices that steals confidential information and opens a back door on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-052307-3530-99" + ] + }, + "uuid": "4ef79875-3b57-4025-8a2a-07cdb078064f" + }, + { + "value": "Pirator", + "description": "Pirator is a Trojan horse on the Android platform that downloads files and steals potentially confidential information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-021609-5740-99" + ] + }, + "uuid": "42b22f4f-c4ca-49a7-8ef2-4f470a611d87" + }, + { + "value": "Pjapps", + "description": "Pjapps is a Trojan horse that has been embedded on third party applications and opens a back door on the compromised device. It retrieves commands from a remote command and control server. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-022303-3344-99" + ] + }, + "uuid": "5ad131de-ee9b-4815-9779-dd41bbc691ac" + }, + { + "value": "Pjapps.B", + "description": "Pjapps.B is a Trojan horse for Android devices that opens a back door on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032014-1624-99" + ] + }, + "uuid": "337a4e0f-3ba7-4b3e-8ee8-6dec28efa367" + }, + { + "value": "Pletora", + "description": "Pletora is a is a Trojan horse for Android devices that may lock the compromised device. It then asks the user to pay in order to unlock the device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-061217-4345-99" + ] + }, + "uuid": "e7fcea42-c041-4650-8a74-980e2580f707" + }, + { + "value": "Poisoncake", + "description": "Poisoncake is a Trojan horse for Android devices that opens a back door on the compromised device. It may also download potentially malicious files and steal information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-010610-0726-99" + ] + }, + "uuid": "f3fa28df-2f61-4391-921d-0df12015406a" + }, + { + "value": "Pontiflex", + "description": "Pontiflex is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-0946-99" + ] + }, + "uuid": "a69028fd-345c-46c1-a8e4-5344edf4a83b" + }, + { + "value": "Positmob", + "description": "Positmob is a Trojan horse program for Android devices that sends SMS messages to premium rate phone numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111409-1556-99" + ] + }, + "uuid": "55014563-84cd-42bd-a4d0-9cb59fed0954" + }, + { + "value": "Premiumtext", + "description": "Premiumtext is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers. These Trojans will often be repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-080213-5308-99" + ] + }, + "uuid": "aafa218b-681d-4fa9-bbe0-3e5e1655e379" + }, + { + "value": "Pris", + "description": "Pris is a Trojan horse for Android devices that silently downloads a malicious application and attempts to open a back door on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061820-5638-99" + ] + }, + "uuid": "84c24979-1f6b-4fb6-9783-b0262002f27c" + }, + { + "value": "Qdplugin", + "description": "Qdplugin is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-102510-3330-99" + ] + }, + "uuid": "104be155-2e71-46bf-90a4-c2b27c6b6825" + }, + { + "value": "Qicsomos", + "description": "Qicsomos is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-011007-2223-99" + ] + }, + "uuid": "ef0a5556-2328-47f2-9703-bd8001639afe" + }, + { + "value": "Qitmo", + "description": "Qitmo is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030716-4923-99" + ] + }, + "uuid": "0d2c5dd9-8300-4570-a49e-971ac90efdec" + }, + { + "value": "Rabbhome", + "description": "Rabbhome is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-053007-3750-99" + ] + }, + "uuid": "4c15d120-70c8-4d9f-b001-bf6c218a991a" + }, + { + "value": "Repane", + "description": "Repane is a Trojan horse for Android devices that steals information and sends SMS messages from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-090411-5052-99" + ] + }, + "uuid": "4f07cf74-9b9b-479d-859e-67a2a13ca5de" + }, + { + "value": "Reputation.1", + "description": "Reputation.1 is a detection for Android files based on analysis performed by Norton Mobile Insight. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022612-2619-99" + ] + }, + "uuid": "d1ef2846-24cc-48a7-9bf2-c739eed7d25a" + }, + { + "value": "Reputation.2", + "description": "Reputation.2 is a detection for Android files based on analysis performed by Norton Mobile Insight. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-2629-99" + ] + }, + "uuid": "522a2325-290b-45ac-9eab-ffdf3898dbee" + }, + { + "value": "Reputation.3", + "description": "Reputation.3 is a detection for Android files based on analysis performed by Norton Mobile Insight. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-3126-99" + ] + }, + "uuid": "095a898a-301a-49f1-9bc6-c43425d17c8e" + }, + { + "value": "RevMob", + "description": "RevMob is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040308-0502-99" + ] + }, + "uuid": "6469a63e-5c6b-4517-9540-eb16488ad67a" + }, + { + "value": "Roidsec", + "description": "Roidsec is a Trojan horse for Android devices that steals confidential information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99" + ] + }, + "uuid": "06ae93ed-13ba-4200-9c91-8901f08a4fae" + }, + { + "value": "Rootcager", + "description": "Rootcager is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-030212-1438-99" + ] + }, + "uuid": "25f0c7d4-f961-4cd1-ac70-90242506200d" + }, + { + "value": "Rootnik", + "description": "Rootnik is a Trojan horse for Android devices that steals information and downloads additional apps. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2016-062710-0328-99" + ] + }, + "uuid": "05f5a051-d7a2-4757-a2f0-d685334d9374" + }, + { + "value": "Rufraud", + "description": "Rufraud is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-121306-2304-99" + ] + }, + "uuid": "99064315-2097-4c2e-8f92-a34ab9422441" + }, + { + "value": "Rusms", + "description": "Rusms is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-061711-5009-99" + ] + }, + "uuid": "77ba4823-2d71-4ead-aba8-71a15a2a7c99" + }, + { + "value": "Samsapo", + "description": "Samsapo is a worm for Android devices that spreads by sending SMS messages to all contacts stored on the compromised device. It also opens a back door and downloads files. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-050111-1908-99" + ] + }, + "uuid": "d266a784-3ce7-40f2-b710-0d758700276b" + }, + { + "value": "Sandorat", + "description": "Sandorat is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-110720-2146-99" + ] + }, + "uuid": "f0baccdc-d38f-4bb1-ab42-319b69be6322" + }, + { + "value": "Sberick", + "description": "Sberick is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-071014-2146-99" + ] + }, + "uuid": "bd781792-dd1f-4fa9-a523-53f578b8f52c" + }, + { + "value": "Scartibro", + "description": "Scartibro is a Trojan horse for Android devices that locks the compromised device and asks the user to pay in order to unlock it. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-080718-2038-99" + ] + }, + "uuid": "0c7bac44-c062-4dd6-824d-79f3c225d3e5" + }, + { + "value": "Scipiex", + "description": "Scipiex is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-100814-4702-99" + ] + }, + "uuid": "e658c4ff-a749-44d1-9c7c-d8782cecbb05" + }, + { + "value": "Selfmite", + "description": "Selfmite is a worm for Android devices that spreads through SMS messages. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-070111-5857-99" + ] + }, + "uuid": "666eb607-971e-4a90-92df-2b1903eb5c29" + }, + { + "value": "Selfmite.B", + "description": "Selfmite.B is a worm for Android devices that displays ads on the compromised device. It spreads through SMS messages. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-101013-4717-99" + ] + }, + "uuid": "1031ff29-419d-450e-a1d3-d203db10b7df" + }, + { + "value": "SellARing", + "description": "SellARing is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-3157-99" + ] + }, + "uuid": "875a58aa-f155-48d5-86a7-b18bf711a211" + }, + { + "value": "SendDroid", + "description": "SendDroid is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-2111-99" + ] + }, + "uuid": "69ca9eb1-f19a-4442-8bfd-ac5f9a5387c2" + }, + { + "value": "Simhosy", + "description": "Simhosy is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-061013-3955-99" + ] + }, + "uuid": "96624486-651c-499d-a731-83e149e16ea4" + }, + { + "value": "Simplocker", + "description": "Simplocker is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-060610-5533-99" + ] + }, + "uuid": "194d0629-9e26-4de4-8239-85b862aadc7f" + }, + { + "value": "Simplocker.B", + "description": "Simplocker.B is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-072317-1950-99" + ] + }, + "uuid": "6cf6fdd1-acce-4498-afe9-bc9202235cfa" + }, + { + "value": "Skullkey", + "description": "Skullkey is a Trojan horse for Android devices that gives the attacker remote control of the compromised device to perform malicious activity. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99" + ] + }, + "uuid": "8f5e8349-14cb-4dc2-86dc-bcfe7360d4c7" + }, + { + "value": "Smaato", + "description": "Smaato is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052622-1755-99" + ] + }, + "uuid": "5e02d505-59bf-493e-b9d8-29dffcc5045a" + }, + { + "value": "Smbcheck", + "description": "Smbcheck is a hacktool for Android devices that can trigger a Server Message Block version 2 (SMBv2) vulnerability and may cause the target computer to crash.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-5634-99" + ] + }, + "uuid": "60be1539-2205-4865-87ab-318dcdb1873e" + }, + { + "value": "Smsblocker", + "description": "Smsblocker is a generic detection for threats on Android devices that block the transmission of SMS messages. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-081607-4001-99" + ] + }, + "uuid": "13b6f47b-12bd-4c0a-88d1-b6a627169266" + }, + { + "value": "Smsbomber", + "description": "Smsbomber is a program that can be used to send messages to contacts on the device.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-112611-5837-99" + ] + }, + "uuid": "054789dc-6ffa-4a06-ace9-6fd7095c7504" + }, + { + "value": "Smslink", + "description": "Smslink is a Trojan horse for Android devices that may send malicious SMS messages from the compromised device. It may also display advertisements. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-112600-3035-99" + ] + }, + "uuid": "5d41547a-fc71-4e49-8dbf-59f15a58a74c" + }, + { + "value": "Smspacem", + "description": "Smspacem is a Trojan horse that may send SMS messages from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-052310-1322-99" + ] + }, + "uuid": "3191e73e-72a4-4a05-9d5b-2da158822820" + }, + { + "value": "SMSReplicator", + "description": "SMSReplicator is a spying utility that will secretly transmit incoming SMS messages to another phone of the installer's choice. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99" + ] + }, + "uuid": "8e638226-b772-492c-b0a3-3a77e5b08496" + }, + { + "value": "Smssniffer", + "description": "Smssniffer is a Trojan horse that intercepts SMS messages on Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071108-3626-99" + ] + }, + "uuid": "4d79cd58-217a-454a-991c-19219612580c" + }, + { + "value": "Smsstealer", + "description": "Smsstealer is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-121514-0214-99" + ] + }, + "uuid": "c502316f-f3bb-47a4-9198-d73426609429" + }, + { + "value": "Smstibook", + "description": "Smstibook is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-051207-4833-99" + ] + }, + "uuid": "312806f6-dc58-4b2b-b86e-1338626460ea" + }, + { + "value": "Smszombie", + "description": "Smszombie is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-082011-0922-99" + ] + }, + "uuid": "99884c3e-cc56-4099-a52b-136ae0078d61" + }, + { + "value": "Snadapps", + "description": "Snadapps is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071807-3111-99" + ] + }, + "uuid": "ac43bc86-59da-42ad-82d6-d0a17cc04a40" + }, + { + "value": "Sockbot", + "description": "Sockbot is a Trojan horse for Android devices that creates a SOCKS proxy on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2017-101314-1353-99" + ] + }, + "uuid": "e8096285-d437-4664-9125-d30cb19b84cb" + }, + { + "value": "Sockrat", + "description": "Sockrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-110509-4646-99" + ] + }, + "uuid": "dadccdda-a4c2-4021-90b9-61a394e602be" + }, + { + "value": "Sofacy", + "description": "Sofacy is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2017-010508-5201-99" + ] + }, + "uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729" + }, + { + "value": "Sosceo", + "description": "Sosceo is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040408-0609-99" + ] + }, + "uuid": "f1118dcb-13a3-4021-8dee-22201ae9324a" + }, + { + "value": "Spitmo", + "description": "Spitmo is a Trojan horse that steals information from Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-091407-1435-99" + ] + }, + "uuid": "98a51dbd-5fe4-44f1-8171-2f7bb5691ca8" + }, + { + "value": "Spitmo.B", + "description": "Spitmo.B is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-0445-99" + ] + }, + "uuid": "75ee2fc5-f412-42a3-b17b-be5b7c1b5172" + }, + { + "value": "Spyagent", + "description": "Spyagent is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-090710-1836-99" + ] + }, + "uuid": "b399f848-032d-4e7b-8c53-1d61ef53ef73" + }, + { + "value": "Spybubble", + "description": "Spybubble is a Spyware application for Android devices that logs the device's activity and sends it to a predetermined website.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-121917-0335-99" + ] + }, + "uuid": "ee87a204-a0d6-4e4b-ba05-85853df60857" + }, + { + "value": "Spydafon", + "description": "Spydafon is a Potentially Unwanted Application for Android devices that monitors the affected device.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030722-4740-99" + ] + }, + "uuid": "8e313409-bee2-4ea5-9dc5-062dde2d37a7" + }, + { + "value": "Spymple", + "description": "Spymple is a spyware application for Android devices that allows the device it is installed on to be monitored.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-5403-99" + ] + }, + "uuid": "d2f7d24a-5ad2-4cae-a600-9f9e0415e32f" + }, + { + "value": "Spyoo", + "description": "Spyoo is a spyware program for Android devices that records and sends certain information to a remote location.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-081709-0457-99" + ] + }, + "uuid": "d3f5be8f-e1bd-45a7-b78e-1594884ed740" + }, + { + "value": "Spytekcell", + "description": "Spytekcell is a spyware program for Android devices that monitors and sends certain information to a remote location.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-121021-0730-99" + ] + }, + "uuid": "7e83bb34-5b0a-4a04-9c33-45ccd62adb49" + }, + { + "value": "Spytrack", + "description": "Spytrack is a spyware program for Android devices that periodically sends certain information to a remote location.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080109-5710-99" + ] + }, + "uuid": "70ff60ea-2955-4ab0-ad7f-aa33e6bb0b9c" + }, + { + "value": "Spywaller", + "description": "Spywaller is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-121807-0203-99" + ] + }, + "uuid": "eff7bcd4-a797-4a85-8db2-583b182c98e5" + }, + { + "value": "Stealthgenie", + "description": "Stealthgenie is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99" + ] + }, + "uuid": "3e90ee61-4377-473f-8469-7a91875b54f1" + }, + { + "value": "Steek", + "description": "Steek is a potentially unwanted application that is placed on a download website for Android applications and disguised as popular applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-010911-3142-99" + ] + }, + "uuid": "31f0f24e-6807-4a1a-b14d-cb421b1aea12" + }, + { + "value": "Stels", + "description": "Stels is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-032910-0254-99" + ] + }, + "uuid": "435cbdcd-4cab-4a2e-8e58-9094b6226f94" + }, + { + "value": "Stiniter", + "description": "Stiniter is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-030903-5228-99" + ] + }, + "uuid": "418dc95a-a638-4e85-b72d-0bf6b7cbda0c" + }, + { + "value": "Sumzand", + "description": "Sumzand is a Trojan horse for Android devices that steals information and sends it to a remote location. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080308-2851-99" + ] + }, + "uuid": "2799ad1e-b438-4da5-a489-6035643c71a8" + }, + { + "value": "Sysecsms", + "description": "Sysecsms is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-122714-5228-99" + ] + }, + "uuid": "7f7611d7-0419-4d6c-8026-6d132912f297" + }, + { + "value": "Tanci", + "description": "Tanci is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4108-99" + ] + }, + "uuid": "031cabf7-f43c-4de3-9cd7-2ee96a4a3696" + }, + { + "value": "Tapjoy", + "description": "Tapjoy is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-4702-99" + ] + }, + "uuid": "e57f936d-0cf2-4f83-9daf-3d167de8fdfb" + }, + { + "value": "Tapsnake", + "description": "Tapsnake is a Trojan horse for Android phones that is embedded into a game. It tracks the phone's location and posts it to a remote web service. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2010-081214-2657-99" + ] + }, + "uuid": "a5ff203d-3613-4b66-bdec-ef342e9c85c2" + }, + { + "value": "Tascudap", + "description": "Tascudap is a Trojan horse for Android devices that uses the compromised device in denial of service attacks. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-121312-4547-99" + ] + }, + "uuid": "171cfcc4-171c-4f62-82c0-b1583937cd0d" + }, + { + "value": "Teelog", + "description": "Teelog is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-040215-2736-99" + ] + }, + "uuid": "9de29650-4fca-40d1-8def-1fe39bde13a3" + }, + { + "value": "Temai", + "description": "Temai is a Trojan horse for Android applications that opens a back door and downloads malicious files onto the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99" + ] + }, + "uuid": "3b8479b5-1ea2-4a0d-a80d-4ab9f91b477a" + }, + { + "value": "Tetus", + "description": "Tetus is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-012409-4705-99" + ] + }, + "uuid": "d706632e-0940-4ae0-9fc5-ed59b941828c" + }, + { + "value": "Tgpush", + "description": "Tgpush is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032816-0259-99" + ] + }, + "uuid": "c9e1c4d7-7082-45c3-8aae-4449d94639ef" + }, + { + "value": "Tigerbot", + "description": "Tigerbot is a Trojan horse for Android devices that opens a back door on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-041010-2221-99" + ] + }, + "uuid": "7ae84b6b-79c0-4835-8ebe-f9da724cde3f" + }, + { + "value": "Tonclank", + "description": "Tonclank is a Trojan horse that steals information and may open a back door on Android devices. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99" + ] + }, + "uuid": "68c29f38-36a6-46c0-bef9-cd70de3d6497" + }, + { + "value": "Trogle", + "description": "Trogle is a worm for Android devices that may steal information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-081213-5553-99" + ] + }, + "uuid": "fae64496-415e-49fa-94ed-519ef7a0fac9" + }, + { + "value": "Twikabot", + "description": "Twikabot is a Trojan horse for Android devices that attempts to steal information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062614-5813-99" + ] + }, + "uuid": "301a279e-ea93-4857-b994-b846712b6fac" + }, + { + "value": "Uapush", + "description": "Uapush is a Trojan horse for Android devices that steals information from the compromised device. It may also display advertisements and send SMS messages from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-040114-2910-99" + ] + }, + "uuid": "c7c3547b-513c-4f65-b896-77bcf2bbf3a9" + }, + { + "value": "Umeng", + "description": "Umeng is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5749-99" + ] + }, + "uuid": "bc21922b-50a2-49a2-8828-c032b75dd4d1" + }, + { + "value": "Updtbot", + "description": "Updtbot is a Trojan horse for Android devices that may arrive through SMS messages. It may then open a back door on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-041611-4136-99" + ] + }, + "uuid": "572c7fc4-081b-4e13-a1c2-5c1b7c7288bf" + }, + { + "value": "Upush", + "description": "Upush is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-0733-99" + ] + }, + "uuid": "6d386a6c-0cd2-47f9-891d-435e135bf005" + }, + { + "value": "Uracto", + "description": "Uracto is a Trojan horse for Android devices that steals personal information and sends spam SMS messages to contacts found on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-031805-2722-99" + ] + }, + "uuid": "d94c59b1-165b-4f8c-ba96-16209a99bbd0" + }, + { + "value": "Uranico", + "description": "Uranico is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-052803-3835-99" + ] + }, + "uuid": "6d50487d-ac9a-4369-9520-471b2c9d2413" + }, + { + "value": "Usbcleaver", + "description": "Usbcleaver is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99" + ] + }, + "uuid": "5110098d-d07d-4e85-bde5-2b2dcd844317" + }, + { + "value": "Utchi", + "description": "Utchi is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-2536-99" + ] + }, + "uuid": "45633e6c-482b-40d8-aab6-5702ebfd1a25" + }, + { + "value": "Uten", + "description": "Uten is a Trojan horse for Android devices that may send, block, and delete SMS messages on a compromised device. It may also download and install additional applications and attempt to gain root privileges. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-092316-4752-99" + ] + }, + "uuid": "a677735e-fc30-47ea-a679-3eae567a0c50" + }, + { + "value": "Uupay", + "description": "Uupay is a Trojan horse for Android devices that steals information from the compromised device. It may also download additional malware. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-061714-1550-99" + ] + }, + "uuid": "0766d789-3c9b-4bad-bc2e-8bdeccdef2fa" + }, + { + "value": "Uxipp", + "description": "Uxipp is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99" + ] + }, + "uuid": "da60c9f2-5429-46f6-9482-6f406e56ba07" + }, + { + "value": "Vdloader", + "description": "Vdloader is a Trojan horse for Android devices that opens a back door on the compromised device and steals confidential information. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080209-1420-99" + ] + }, + "uuid": "d0dbf62f-77fe-4051-a34a-67c843248357" + }, + { + "value": "VDopia", + "description": "VDopia is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-1559-99" + ] + }, + "uuid": "17241b57-1b2f-4013-bc8b-f68e4e57e1a7" + }, + { + "value": "Virusshield", + "description": "Virusshield is a Trojan horse for Android devices that claims to scan apps and protect personal information, but has no real functionality. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040810-5457-99" + ] + }, + "uuid": "dd1185c0-6456-4231-b39b-b127c2be88c5" + }, + { + "value": "VServ", + "description": "VServ is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-3117-99" + ] + }, + "uuid": "e8d75cbf-aaed-4b9e-8599-36ee963f8439" + }, + { + "value": "Walkinwat", + "description": "Walkinwat is a Trojan horse that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-033008-4831-99" + ] + }, + "uuid": "e2696142-5981-4055-874b-727eefda8c46" + }, + { + "value": "Waps", + "description": "Waps is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040406-5437-99" + ] + }, + "uuid": "aa3cebc6-9083-42c4-8eae-e7662aa934a2" + }, + { + "value": "Waren", + "description": "Waren is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5501-99" + ] + }, + "uuid": "164fb7dd-3fab-45fd-9d0a-4c2d61841059" + }, + { + "value": "Windseeker", + "description": "Windseeker is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-101519-0720-99" + ] + }, + "uuid": "30b09d1a-2503-4481-a939-f6227fb2ead5" + }, + { + "value": "Wiyun", + "description": "Wiyun is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-5646-99" + ] + }, + "uuid": "ced6bfb0-a4eb-460a-9594-185ddaaec5c6" + }, + { + "value": "Wooboo", + "description": "Wooboo is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-5829-99" + ] + }, + "uuid": "0bd6959f-b764-431f-b75c-0cb4fe88f025" + }, + { + "value": "Wqmobile", + "description": "Wqmobile is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4926-99" + ] + }, + "uuid": "ce553391-48ef-4749-af44-ef899e710558" + }, + { + "value": "YahooAds", + "description": "YahooAds is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-3229-99" + ] + }, + "uuid": "8ff80176-7fb2-41ed-8b4c-5995d4f4bc9f" + }, + { + "value": "Yatoot", + "description": "Yatoot is a Trojan horse for Android devices that steals information from the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-031408-4748-99" + ] + }, + "uuid": "ac66cb33-91a0-4777-a78d-8077089a7231" + }, + { + "value": "Yinhan", + "description": "Yinhan is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-3350-99" + ] + }, + "uuid": "956d67a6-5e5f-48bf-b1c5-bc34536b8845" + }, + { + "value": "Youmi", + "description": "Youmi is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4318-99" + ] + }, + "uuid": "805ea1fb-c6e3-47d9-9eb5-2d4b73e63f42" + }, + { + "value": "YuMe", + "description": "YuMe is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-0322-99" + ] + }, + "uuid": "e5a6a49e-92df-4e94-ac87-78d0f08c482e" + }, + { + "value": "Zeahache", + "description": "Zeahache is a Trojan horse that elevates privileges on the compromised device. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2011-032309-5042-99" + ] + }, + "uuid": "78f04148-de99-4249-8057-ca610d6cab4e" + }, + { + "value": "ZertSecurity", + "description": "ZertSecurity is a Trojan horse for Android devices that steals information and sends it to a remote attacker. ", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2013-050820-4100-99" + ] + }, + "uuid": "3f77d88c-b3a6-4cc8-bc09-40dca0f942c5" + }, + { + "value": "ZestAdz", + "description": "ZestAdz is an advertisement library that is bundled with certain Android applications.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052616-3821-99" + ] + }, + "uuid": "94572b76-b677-40da-8e92-db29ea1f0307" + }, + { + "value": "Zeusmitmo", + "description": "Zeusmitmo is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99" + ] + }, + "uuid": "1bce8b50-16e8-4548-94c9-f82bdbc91053" + }, + { + "value": "SLocker", + "description": "The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-pocket-sized-badness/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/" + ], + "synonyms": [ + "SMSLocker" + ] + }, + "uuid": "e8bb68f2-d8ca-4576-b47b-8123aef6324b" + }, + { + "value": "Loapi", + "description": "A malware strain known as Loapi will damage phones if users don't remove it from their devices. Left to its own means, this modular threat will download a Monero cryptocurrency miner that will overheat and overwork the phone's components, which will make the battery bulge, deform the phone's cover, or even worse. Discovered by Kaspersky Labs, researchers say Loapi appears to have evolved from Podec, a malware strain spotted in 2015.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/android-malware-will-destroy-your-phone-no-ifs-and-buts-about-it/" + ] + }, + "uuid": "2620f8ce-a4a6-4ea2-a281-7f476ff114ed" + }, + { + "value": "Podec", + "description": "Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015.\nThe updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.", + "meta": { + "refs": [ + "https://securelist.com/sms-trojan-bypasses-captcha/69169//" + ] + }, + "uuid": "e3cd1cf3-2f49-4adc-977f-d15a2b0b4c85" + } + ], + "version": 4, + "uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa", + "description": "Android malware galaxy based on multiple open sources.", + "authors": [ + "Unknown" + ], + "source": "Open Sources", + "type": "android", + "name": "Android" +} \ No newline at end of file diff --git a/clusters/banker.json b/clusters/banker.json index f6c6300..ef94065 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -1,539 +1,579 @@ { - "values": [ - { - "meta": { - "refs": [ - "https://usa.kaspersky.com/resource-center/threats/zeus-virus" - ], - "synonyms": [ - "Zbot" - ], - "date": "Initally discovered between 2006 and 2007. New bankers with Zeus roots still active today." - }, - "description": "Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.", - "value": "Zeus" - }, - { - "meta": { - "refs": [ - "https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/", - "https://www.fidelissecurity.com/threatgeek/2016/05/vawtrak-trojan-bank-it-evolving", - "https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows", - "https://www.botconf.eu/wp-content/uploads/2016/11/2016-Vawtrak-technical-report.pdf" - ], - "synonyms": [ - "Neverquest" - ], - "date": "Discovered early 2013" - }, - "description": "Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.", - "value": "Vawtrak" - }, - { - "meta": { - "refs": [ - "https://blog.malwarebytes.com/detections/trojan-dridex/", - "https://feodotracker.abuse.ch/" - ], - "synonyms": [ - "Feodo Version D" - ], - "date": "Discovery in 2014, still active" - }, - "description": " Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.", - "value": "Dridex" - }, - { - "meta": { - "refs": [ - "https://www.secureworks.com/research/gozi", - "https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", - "https://lokalhost.pl/gozi_tree.txt" - ], - "synonyms": [ - "Ursnif", - "CRM", - "Snifula", - "Papras" - ], - "date": "First seen ~ 2007" - }, - "description": "Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010", - "value": "Gozi" - }, - { - "meta": { - "refs": [ - "https://krebsonsecurity.com/tag/gozi-prinimalka/", - "https://securityintelligence.com/project-blitzkrieg-how-to-block-the-planned-prinimalka-gozi-trojan-attack/", - "https://lokalhost.pl/gozi_tree.txt" - ], - "synonyms": [ - "Prinimalka" - ], - "date": "Fall Oct. 2012 - Spring 2013" - }, - "description": "Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.", - "value": "Goziv2" - }, - { - "meta": { - "refs": [ - "https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature", - "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", - "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", - "https://lokalhost.pl/gozi_tree.txt" - ], - "date": "Beginning 2010" - }, - "description": "Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.", - "value": "Gozi ISFB" - }, - { - "meta": { - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", - "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality", - "https://lokalhost.pl/gozi_tree.txt" - ], - "date": "Since 2014" - }, - "description": "Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.", - "value": "Dreambot" - }, - { - "meta": { - "refs": [ - "https://lokalhost.pl/gozi_tree.txt", - "http://archive.is/I7hi8#selection-217.0-217.6" - ], - "date": "Seen Autumn 2014" - }, - "description": "Gozi ISFB variant ", - "value": "IAP" - }, - { - "meta": { - "refs": [ - "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", - "https://lokalhost.pl/gozi_tree.txt" - ], - "date": "Spring 2016" - }, - "description": "GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.", - "value": "GozNym" - }, - { - "meta": { - "refs": [ - "https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle", - "https://www.scmagazine.com/terdot-zloaderzbot-combo-abuses-certificate-app-to-pull-off-mitm-browser-attacks/article/634443/" - ], - "synonyms": [ - "Zeus Terdot" - ], - "date": "First seen in Fall 2016 and still active today." - }, - "description": "Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails. ", - "value": "Zloader Zeus" - }, - { - "meta": { - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", - "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/" - ], - "synonyms": [ - "VM Zeus" - ], - "date": "First seen ~Feb 2014" - }, - "description": "Zeus variant that utilizes steganography in image files to retrieve configuration file. ", - "value": "Zeus VM" - }, - { - "meta": { - "refs": [ - "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/" - ], - "date": "First seen ~Aug 2015" - }, - "description": "Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.", - "value": "Zeus Sphinx" - }, - { - "meta": { - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market", - "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", - "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers" - ], - "synonyms": [ - "Zeus Panda" - ], - "date": "First seen ~ Spring 2016" - }, - "description": "Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.", - "value": "Panda Banker" - }, - { - "meta": { - "refs": [ - "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", - "https://github.com/nyx0/KINS" - ], - "synonyms": [ - "Kasper Internet Non-Security", - "Maple" - ], - "date": "First seen 2014" - }, - "description": "Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it's config in the registry. ", - "value": "Zeus KINS" - }, - { - "meta": { - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", - "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/" - ], - "date": "First seen fall of 2014" - }, - "description": "Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.", - "value": "Chthonic" - }, - { - "meta": { - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", - "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", - "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", - "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/" - ], - "synonyms": [ - "Trickster", - "Trickloader" - ], - "date": "Discovered Fall 2016" - }, - "description": "Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan", - "value": "Trickbot" - }, - { - "meta": { - "refs": [ - "https://www.secureworks.com/research/dyre-banking-trojan", - "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" - ], - "synonyms": [ - "Dyreza" - ], - "date": "Discovered ~June 2014" - }, - "description": "Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim's computer.", - "value": "Dyre" - }, - { - "meta": { - "refs": [ - "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", - "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/", - "https://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/", - "http://my.infotex.com/tiny-banker-trojan/" - ], - "synonyms": [ - "Zusy", - "TinyBanker", - "illi" - ], - "date": "Discovered ~Spring 2012" - }, - "description": "Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.", - "value": "Tinba" - }, - { - "meta": { - "refs": [ - "https://feodotracker.abuse.ch/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/" - ], - "synonyms": [ - "Feodo Version C", - "Emotet" - ], - "date": "Discovered ~Summer 2014" - }, - "description": "Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.", - "value": "Geodo" - }, - { - "meta": { - "refs": [ - "https://securelist.com/dridex-a-history-of-evolution/78531/", - "https://feodotracker.abuse.ch/", - "http://stopmalvertising.com/rootkits/analysis-of-cridex.html" - ], - "synonyms": [ - "Bugat", - "Cridex" - ], - "date": "Discovered ~September 2011" - }, - "description": "Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.", - "value": "Feodo" - }, - { - "meta": { - "refs": [ - "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/" - ], - "synonyms": [ - "Nimnul" - ], - "date": "Discovered ~2010." - }, - "description": "Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.", - "value": "Ramnit" - }, - { - "meta": { - "refs": [ - "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", - "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", - "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf" - ], - "synonyms": [ - "Qbot ", - "Pinkslipbot" - ], - "date": "Discovered ~2007" - }, - "description": "Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.", - "value": "Qakbot" - }, - { - "meta": { - "refs": [ - "https://securityintelligence.com/an-overnight-sensation-corebot-returns-as-a-full-fledged-financial-malware/", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", - "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/" - ], - "date": "Discovered ~Fall 2015" - }, - "description": "Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.", - "value": "Corebot" - }, - { - "meta": { - "refs": [ - "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", - "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", - "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596", - "https://benkowlab.blogspot.ca/2017/08/quick-look-at-another-alina-fork-xbot.html" - ], - "synonyms": [ - "NukeBot", - "Nuclear Bot", - "MicroBankingTrojan", - "Xbot" - ], - "date": "Discovered ~December 2016" - }, - "description": "TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It's main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.", - "value": "TinyNuke" - }, - { - "meta": { - "refs": [ - "https://www.govcert.admin.ch/blog/33/the-retefe-saga", - "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", - "https://countuponsecurity.com/2016/02/29/retefe-banking-trojan/", - "https://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/", - "http://securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters/" - ], - "synonyms": [ - "Tsukuba", - "Werdlod" - ], - "date": "Discovered in 2014" - }, - "description": "Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails. ", - "value": "Retefe" - }, - { - "meta": { - "refs": [ - "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html", - "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under", - "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/" - ], - "date": "Discovered ~early 2015" - }, - "description": "ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.", - "value": "ReactorBot" - }, - { - "meta": { - "refs": [ - "https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/" - ], - "date": "Discovered ~Spring 2017" - }, - "description": "Matrix Banker is named accordingly because of the Matrix reference in it's C2 panel. Distributed primarily via malspam emails.", - "value": "Matrix Banker" - }, - { - "meta": { - "refs": [ - "https://heimdalsecurity.com/blog/zeus-gameover/", - "https://www.us-cert.gov/ncas/alerts/TA14-150A" - ], - "date": "Discovered ~Sept. 2011" - }, - "description": "Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.", - "value": "Zeus Gameover" - }, - { - "meta": { - "refs": [ - "https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf", - "https://www.computerworld.com/article/2509482/security0/spyeye-trojan-defeating-online-banking-defenses.html", - "https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot" - ], - "date": "Discovered early 2011" - }, - "description": "SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.", - "value": "SpyEye" - }, - { - "meta": { - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", - "https://krebsonsecurity.com/tag/citadel-trojan/", - "https://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/" - ], - "date": "Discovered ~January 2012" - }, - "description": "Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.", - "value": "Citadel" - }, - { - "meta": { - "refs": [ - "https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/", - "http://www.xylibox.com/2016/02/citadel-0011-atmos.html" - ], - "date": "Discovered ~spring 2016" - }, - "description": "Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.", - "value": "Atmos" - }, - { - "meta": { - "refs": [ - "https://securelist.com/ice-ix-not-cool-at-all/29111/ " - ], - "date": "Discovered ~Fall 2011" - }, - "description": "Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.", - "value": "Ice IX" - }, - { - "meta": { - "refs": [ - "https://securelist.com/zeus-in-the-mobile-for-android-10/29258/" - ], - "date": "Discovered ~end of 2010" - }, - "description": "Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.", - "value": "Zitmo" - }, - { - "meta": { - "refs": [ - "https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/", - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_LICAT.A", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus%3aWin32%2fMurofet.A" - ], - "synonyms": [ - "Murofet" - ], - "date": "Discovered in 2010" - }, - "description": "Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011", - "value": "Licat" - }, - { - "meta": { - "refs": [ - "https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/" - ], - "date": "Discovered end of 2012" - }, - "description": "Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.", - "value": "Skynet" - }, - { - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/", - "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" - ], - "date": "Discovered in September 2017" - }, - "description": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.", - "value": "IcedID" - }, - { - "value": "GratefulPOS", - "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.", - "meta": { - "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" - ] - } - }, - { - "value": "Dok", - "description": "A macOS banking trojan that that redirects an infected user's web traffic in order to extract banking credentials.", - "meta": { - "refs": [ - "https://objective-see.com/blog/blog_0x25.html#Dok" - ] - } - }, - { - "value": "downAndExec", - "description": "Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/" - ] - } - }, - { - "value": "Smominru", - "description": "Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware.\nThe speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.", - "meta": { - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators" - ], - "synonyms": [ - "Ismo", - "lsmo" - ] - } - } - ], - "version": 7, - "uuid": "59f20cce-5420-4084-afd5-0884c0a83832", - "description": "A list of banker malware.", - "authors": [ - "Unknown" - ], - "source": "Open Sources", - "type": "banker", - "name": "Banker" -} + "values": [ + { + "meta": { + "refs": [ + "https://usa.kaspersky.com/resource-center/threats/zeus-virus" + ], + "synonyms": [ + "Zbot" + ], + "date": "Initally discovered between 2006 and 2007. New bankers with Zeus roots still active today." + }, + "description": "Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.", + "value": "Zeus", + "uuid": "f0ec2df5-2e38-4df3-970d-525352006f2e" + }, + { + "meta": { + "refs": [ + "https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/", + "https://www.fidelissecurity.com/threatgeek/2016/05/vawtrak-trojan-bank-it-evolving", + "https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows", + "https://www.botconf.eu/wp-content/uploads/2016/11/2016-Vawtrak-technical-report.pdf" + ], + "synonyms": [ + "Neverquest" + ], + "date": "Discovered early 2013" + }, + "description": "Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.", + "value": "Vawtrak", + "uuid": "f3813bbd-682c-400d-8165-778be6d3f91f" + }, + { + "meta": { + "refs": [ + "https://blog.malwarebytes.com/detections/trojan-dridex/", + "https://feodotracker.abuse.ch/" + ], + "synonyms": [ + "Feodo Version D" + ], + "date": "Discovery in 2014, still active" + }, + "description": " Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.", + "value": "Dridex", + "uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e" + }, + { + "meta": { + "refs": [ + "https://www.secureworks.com/research/gozi", + "https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", + "https://lokalhost.pl/gozi_tree.txt" + ], + "synonyms": [ + "Ursnif", + "CRM", + "Snifula", + "Papras" + ], + "date": "First seen ~ 2007" + }, + "description": "Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010", + "value": "Gozi", + "uuid": "b9448d2a-a23c-4bf2-92a1-d860716ba2f3" + }, + { + "meta": { + "refs": [ + "https://krebsonsecurity.com/tag/gozi-prinimalka/", + "https://securityintelligence.com/project-blitzkrieg-how-to-block-the-planned-prinimalka-gozi-trojan-attack/", + "https://lokalhost.pl/gozi_tree.txt" + ], + "synonyms": [ + "Prinimalka" + ], + "date": "Fall Oct. 2012 - Spring 2013" + }, + "description": "Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.", + "value": "Goziv2", + "uuid": "71ad2c86-b9da-4351-acf9-7005f64062c7" + }, + { + "meta": { + "refs": [ + "https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature", + "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", + "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", + "https://lokalhost.pl/gozi_tree.txt" + ], + "date": "Beginning 2010" + }, + "description": "Banking trojan based on Gozi source. Features include web injects for the victims\u2019 browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.", + "value": "Gozi ISFB", + "uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369" + }, + { + "meta": { + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", + "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality", + "https://lokalhost.pl/gozi_tree.txt" + ], + "date": "Since 2014" + }, + "description": "Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.", + "value": "Dreambot", + "uuid": "549d1f8c-f76d-4d66-a1a2-2cd048d739ea" + }, + { + "meta": { + "refs": [ + "https://lokalhost.pl/gozi_tree.txt", + "http://archive.is/I7hi8#selection-217.0-217.6" + ], + "date": "Seen Autumn 2014" + }, + "description": "Gozi ISFB variant ", + "value": "IAP", + "uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924" + }, + { + "meta": { + "refs": [ + "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", + "https://lokalhost.pl/gozi_tree.txt" + ], + "date": "Spring 2016" + }, + "description": "GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper\u2019s stealth and persistence; the Gozi ISFB parts add the banking Trojan\u2019s capabilities to facilitate fraud via infected Internet browsers.", + "value": "GozNym", + "uuid": "bcefac9a-a928-490f-9cb6-a8863f40c949" + }, + { + "meta": { + "refs": [ + "https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle", + "https://www.scmagazine.com/terdot-zloaderzbot-combo-abuses-certificate-app-to-pull-off-mitm-browser-attacks/article/634443/" + ], + "synonyms": [ + "Zeus Terdot" + ], + "date": "First seen in Fall 2016 and still active today." + }, + "description": "Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails. ", + "value": "Zloader Zeus", + "uuid": "2eb658ed-aff4-4253-a21f-9059b133ce17" + }, + { + "meta": { + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", + "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/" + ], + "synonyms": [ + "VM Zeus" + ], + "date": "First seen ~Feb 2014" + }, + "description": "Zeus variant that utilizes steganography in image files to retrieve configuration file. ", + "value": "Zeus VM", + "uuid": "09d1cad8-6b06-48d7-a968-5b17bbe9ca65" + }, + { + "meta": { + "refs": [ + "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/" + ], + "date": "First seen ~Aug 2015" + }, + "description": "Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.", + "value": "Zeus Sphinx", + "uuid": "8914802c-3aca-4a0d-874a-85ac7a1bc505" + }, + { + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market", + "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", + "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers" + ], + "synonyms": [ + "Zeus Panda" + ], + "date": "First seen ~ Spring 2016" + }, + "description": "Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.", + "value": "Panda Banker", + "uuid": "f1971442-6477-4aa2-aafa-7529b8252455" + }, + { + "meta": { + "refs": [ + "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", + "https://github.com/nyx0/KINS" + ], + "synonyms": [ + "Kasper Internet Non-Security", + "Maple" + ], + "date": "First seen 2014" + }, + "description": "Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it's config in the registry. ", + "value": "Zeus KINS", + "uuid": "bc0be3a4-89d8-4c4c-b2aa-2dddbed1f71d" + }, + { + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", + "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/" + ], + "date": "First seen fall of 2014" + }, + "description": "Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.", + "value": "Chthonic", + "uuid": "6deb9f26-969b-45aa-9222-c23663fd6ef8" + }, + { + "meta": { + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", + "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", + "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", + "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/" + ], + "synonyms": [ + "Trickster", + "Trickloader" + ], + "date": "Discovered Fall 2016" + }, + "description": "Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan", + "value": "Trickbot", + "uuid": "07e3260b-d80c-4c86-bd28-8adc111bbec6" + }, + { + "meta": { + "refs": [ + "https://www.secureworks.com/research/dyre-banking-trojan", + "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" + ], + "synonyms": [ + "Dyreza" + ], + "date": "Discovered ~June 2014" + }, + "description": "Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim's computer.", + "value": "Dyre", + "uuid": "15e969e6-f031-4441-a49b-f401332e4b00" + }, + { + "meta": { + "refs": [ + "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", + "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/", + "https://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/", + "http://my.infotex.com/tiny-banker-trojan/" + ], + "synonyms": [ + "Zusy", + "TinyBanker", + "illi" + ], + "date": "Discovered ~Spring 2012" + }, + "description": "Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.", + "value": "Tinba", + "uuid": "5594b171-32ec-4145-b712-e7701effffdd" + }, + { + "meta": { + "refs": [ + "https://feodotracker.abuse.ch/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/" + ], + "synonyms": [ + "Feodo Version C", + "Emotet" + ], + "date": "Discovered ~Summer 2014" + }, + "description": "Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.", + "value": "Geodo", + "uuid": "8e002f78-7fb8-4e70-afd7-0b4ac655be26" + }, + { + "meta": { + "refs": [ + "https://securelist.com/dridex-a-history-of-evolution/78531/", + "https://feodotracker.abuse.ch/", + "http://stopmalvertising.com/rootkits/analysis-of-cridex.html" + ], + "synonyms": [ + "Bugat", + "Cridex" + ], + "date": "Discovered ~September 2011" + }, + "description": "Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.", + "value": "Feodo", + "uuid": "7ca93488-c357-44c3-b246-3f88391aca5a" + }, + { + "meta": { + "refs": [ + "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/" + ], + "synonyms": [ + "Nimnul" + ], + "date": "Discovered ~2010." + }, + "description": "Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.", + "value": "Ramnit", + "uuid": "7e2288ec-e7d4-4833-9245-a2bc5ae40ee2" + }, + { + "meta": { + "refs": [ + "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", + "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", + "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf" + ], + "synonyms": [ + "Qbot ", + "Pinkslipbot" + ], + "date": "Discovered ~2007" + }, + "description": "Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.", + "value": "Qakbot", + "uuid": "b2ec1f16-2a76-4910-adc5-ecb3570e7c1a" + }, + { + "meta": { + "refs": [ + "https://securityintelligence.com/an-overnight-sensation-corebot-returns-as-a-full-fledged-financial-malware/", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", + "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/" + ], + "date": "Discovered ~Fall 2015" + }, + "description": "Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.", + "value": "Corebot", + "uuid": "8a3d46db-d3b4-4f89-99e2-d1f0de3f484c" + }, + { + "meta": { + "refs": [ + "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", + "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", + "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596", + "https://benkowlab.blogspot.ca/2017/08/quick-look-at-another-alina-fork-xbot.html" + ], + "synonyms": [ + "NukeBot", + "Nuclear Bot", + "MicroBankingTrojan", + "Xbot" + ], + "date": "Discovered ~December 2016" + }, + "description": "TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It's main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.", + "value": "TinyNuke", + "uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e" + }, + { + "meta": { + "refs": [ + "https://www.govcert.admin.ch/blog/33/the-retefe-saga", + "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", + "https://countuponsecurity.com/2016/02/29/retefe-banking-trojan/", + "https://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/", + "http://securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters/" + ], + "synonyms": [ + "Tsukuba", + "Werdlod" + ], + "date": "Discovered in 2014" + }, + "description": "Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails. ", + "value": "Retefe", + "uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c" + }, + { + "meta": { + "refs": [ + "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html", + "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under", + "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/" + ], + "date": "Discovered ~early 2015" + }, + "description": "ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.", + "value": "ReactorBot", + "uuid": "d939e802-acb2-4881-bdaf-ece1eccf5699" + }, + { + "meta": { + "refs": [ + "https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/" + ], + "date": "Discovered ~Spring 2017" + }, + "description": "Matrix Banker is named accordingly because of the Matrix reference in it's C2 panel. Distributed primarily via malspam emails.", + "value": "Matrix Banker", + "uuid": "aa3fc68c-413c-4bfb-b4cd-bca7094da985" + }, + { + "meta": { + "refs": [ + "https://heimdalsecurity.com/blog/zeus-gameover/", + "https://www.us-cert.gov/ncas/alerts/TA14-150A" + ], + "date": "Discovered ~Sept. 2011" + }, + "description": "Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.", + "value": "Zeus Gameover", + "uuid": "8653a94e-3eb3-4d88-8683-a1ae4a524774" + }, + { + "meta": { + "refs": [ + "https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf", + "https://www.computerworld.com/article/2509482/security0/spyeye-trojan-defeating-online-banking-defenses.html", + "https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot" + ], + "date": "Discovered early 2011" + }, + "description": "SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.", + "value": "SpyEye", + "uuid": "ebce18e9-b387-4b7d-bab9-4acd4fca7a7c" + }, + { + "meta": { + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", + "https://krebsonsecurity.com/tag/citadel-trojan/", + "https://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/" + ], + "date": "Discovered ~January 2012" + }, + "description": "Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.", + "value": "Citadel", + "uuid": "9eb89081-3245-423a-995f-c1d78ce39619" + }, + { + "meta": { + "refs": [ + "https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/", + "http://www.xylibox.com/2016/02/citadel-0011-atmos.html" + ], + "date": "Discovered ~spring 2016" + }, + "description": "Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.", + "value": "Atmos", + "uuid": "ee021933-929d-4d6c-abca-5827cfb77289" + }, + { + "meta": { + "refs": [ + "https://securelist.com/ice-ix-not-cool-at-all/29111/ " + ], + "date": "Discovered ~Fall 2011" + }, + "description": "Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.", + "value": "Ice IX", + "uuid": "1d4a5704-c6fb-4bbb-92b2-88dc67f86339" + }, + { + "meta": { + "refs": [ + "https://securelist.com/zeus-in-the-mobile-for-android-10/29258/" + ], + "date": "Discovered ~end of 2010" + }, + "description": "Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.", + "value": "Zitmo", + "uuid": "3b1aff8f-647d-4709-aab0-6db1859c5f11" + }, + { + "meta": { + "refs": [ + "https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_LICAT.A", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus%3aWin32%2fMurofet.A" + ], + "synonyms": [ + "Murofet" + ], + "date": "Discovered in 2010" + }, + "description": "Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011", + "value": "Licat", + "uuid": "0b097926-2e1a-4134-8ab9-4c16d0cca0fc" + }, + { + "meta": { + "refs": [ + "https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/" + ], + "date": "Discovered end of 2012" + }, + "description": "Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.", + "value": "Skynet", + "uuid": "f20791e4-26a7-45e0-90e6-709553b223b2" + }, + { + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/", + "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" + ], + "date": "Discovered in September 2017" + }, + "description": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.", + "value": "IcedID", + "uuid": "9d67069c-b778-486f-8158-53f5dcd05d08" + }, + { + "value": "GratefulPOS", + "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.", + "meta": { + "refs": [ + "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" + ] + }, + "uuid": "7d9362e5-e3cf-4640-88a2-3faf31952963" + }, + { + "value": "Dok", + "description": "A macOS banking trojan that that redirects an infected user's web traffic in order to extract banking credentials.", + "meta": { + "refs": [ + "https://objective-see.com/blog/blog_0x25.html#Dok" + ] + }, + "uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0" + }, + { + "value": "downAndExec", + "description": "Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent \u201cfileless\u201d banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/" + ] + }, + "uuid": "bfff538a-89dd-4bed-9ac1-b4faee373724" + }, + { + "value": "Smominru", + "description": "Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner\u2019s use of Windows Management Infrastructure is unusual among coin mining malware.\nThe speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as \u201chash power\u201d. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators" + ], + "synonyms": [ + "Ismo", + "lsmo" + ] + }, + "uuid": "f93acc85-8d2c-41e0-b0c5-47795b8c6194" + } + ], + "version": 7, + "uuid": "59f20cce-5420-4084-afd5-0884c0a83832", + "description": "A list of banker malware.", + "authors": [ + "Unknown" + ], + "source": "Open Sources", + "type": "banker", + "name": "Banker" +} \ No newline at end of file diff --git a/clusters/botnet.json b/clusters/botnet.json index f0c66d0..b1e2ab0 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1,503 +1,543 @@ { - "values": [ - { - "value": "ADB.miner", - "description": "A new botnet appeared over the weekend, and it's targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.\n\nThe botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system's native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system's most sensitive features.\n\nOnly devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360's Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/" - ] - } - }, - { - "value": "Bagle", - "description": "Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" - ], - "synonyms": [ - "Beagle", - "Mitglieder", - "Lodeight" - ], - "date": "2004" - } - }, - { - "value": "Marina Botnet", - "description": "Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Botnet" - ], - "synonyms": [ - "Damon Briant", - "BOB.dc", - "Cotmonger", - "Hacktool.Spammer", - "Kraken" - ] - } - }, - { - "value": "Torpig", - "description": "Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Torpig" - ], - "synonyms": [ - "Sinowal", - "Anserin" - ], - "date": "2005" - } - }, - { - "value": "Storm", - "description": "The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of \"zombie\" computers (or \"botnet\") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as \"230 dead as storm batters Europe,\" giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Storm_botnet" - ], - "synonyms": [ - "Nuwar", - "Peacomm", - "Zhelatin", - "Dorf", - "Ecard" - ], - "date": "2007" - } - }, - { - "value": "Rustock", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Rustock_botnet" - ], - "synonyms": [ - "RKRustok", - "Costrat" - ], - "date": "2006" - } - }, - { - "value": "Donbot", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Donbot_botnet" - ], - "synonyms": [ - "Buzus", - "Bachsoy" - ] - } - }, - { - "value": "Cutwail", - "description": "The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Cutwail_botnet" - ], - "synonyms": [ - "Pandex", - "Mutant" - ], - "date": "2007" - } - }, - { - "value": "Akbot", - "description": "Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Akbot" - ], - "date": "2007" - } - }, - { - "value": "Srizbi", - "description": "Srizbi BotNet, considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Srizbi_botnet" - ], - "synonyms": [ - "Cbeplay", - "Exchanger" - ], - "date": "March 2007" - } - }, - { - "value": "Lethic", - "description": "The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Lethic_botnet" - ], - "date": "2008" - } - }, - { - "value": "Xarvester", - "meta": { - "refs": [ - "https://krebsonsecurity.com/tag/xarvester/" - ], - "synonyms": [ - "Rlsloup", - "Pixoliz" - ] - } - }, - { - "value": "Sality", - "description": "Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Sality" - ], - "synonyms": [ - "Sector", - "Kuku", - "Sality", - "SalLoad", - "Kookoo", - "SaliCode", - "Kukacka" - ], - "date": "2008" - } - }, - { - "value": "Mariposa", - "description": "The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the \"Butterfly (mariposa in Spanish) Bot\", making it one of the largest known botnets.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Mariposa_botnet" - ], - "date": "2008" - } - }, - { - "value": "Conficker", - "description": "Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Conficker" - ], - "synonyms": [ - "DownUp", - "DownAndUp", - "DownAdUp", - "Kido" - ], - "date": "November 2008" - } - }, - { - "value": "Waledac", - "description": "Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Waledac_botnet" - ], - "synonyms": [ - "Waled", - "Waledpak" - ], - "date": "November 2008" - } - }, - { - "value": "Maazben", - "description": "A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.", - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/evaluating-botnet-capacity" - ] - } - }, - { - "value": "Onewordsub", - "meta": { - "refs": [ - "https://www.botnets.fr/wiki/OneWordSub" - ] - } - }, - { - "value": "Gheg", - "description": "Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server – they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).", - "meta": { - "refs": [ - "https://www.cert.pl/en/news/single/tofsee-en/" - ], - "synonyms": [ - "Tofsee", - "Mondera" - ] - } - }, - { - "value": "Nucrypt", - "meta": { - "refs": [ - "https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en" - ] - } - }, - { - "value": "Wopla", - "meta": { - "refs": [ - "https://www.botnets.fr/wiki.old/index.php/Wopla" - ] - } - }, - { - "value": "Asprox", - "description": "The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Asprox_botnet" - ], - "synonyms": [ - "Badsrc", - "Aseljo", - "Danmec", - "Hydraflux" - ], - "date": "2008" - } - }, - { - "value": "Spamthru", - "description": "Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.", - "meta": { - "refs": [ - "http://www.root777.com/security/analysis-of-spam-thru-botnet/" - ], - "synonyms": [ - "Spam-DComServ", - "Covesmer", - "Xmiler" - ] - } - }, - { - "value": "Gumblar", - "description": "Gumblar is a malicious JavaScript trojan horse file that redirects a user's Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Gumblar" - ], - "date": "2008" - } - }, - { - "value": "BredoLab", - "description": "The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Bredolab_botnet" - ], - "date": "May 2009", - "synonyms": [ - "Oficla" - ] - } - }, - { - "value": "Grum", - "description": "The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's 3rd largest botnet, responsible for 18% of worldwide spam traffic.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Grum_botnet" - ], - "date": "2009", - "synonyms": [ - "Tedroo", - "Reddyb" - ] - } - }, - { - "value": "Mega-D", - "description": "The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Mega-D_botnet" - ], - "synonyms": [ - "Ozdok" - ] - } - }, - { - "value": "Kraken", - "description": "The Kraken botnet was the world's largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Kraken_botnet" - ], - "synonyms": [ - "Kracken" - ] - } - }, - { - "value": "Festi", - "description": "The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Festi_botnet" - ], - "date": "August 2009", - "synonyms": [ - "Spamnost" - ] - } - }, - { - "value": "Vulcanbot", - "description": "Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Vulcanbot" - ], - "date": "March 2010" - } - }, - { - "value": "LowSec", - "meta": { - "date": "January 2010", - "synonyms": [ - "LowSecurity", - "FreeMoney", - "Ring0.Tools" - ] - } - }, - { - "value": "TDL4", - "description": "Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system's network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Alureon#TDL-4" - ], - "date": "2010", - "synonyms": [ - "TDSS", - "Alureon" - ] - } - }, - { - "value": "Zeus", - "description": "Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Zeus_(malware)" - ], - "synonyms": [ - "Zbot", - "ZeuS", - "PRG", - "Wsnpoem", - "Gorhax", - "Kneber" - ] - } - }, - { - "value": "Kelihos", - "description": "The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Kelihos_botnet" - ], - "date": "2010", - "synonyms": [ - "Hlux" - ] - } - }, - { - "value": "Ramnit", - "description": "Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Botnet" - ], - "date": "2011" - } - }, - { - "value": "Zer0n3t", - "meta": { - "date": "2013", - "synonyms": [ - "Fib3rl0g1c", - "Zer0n3t", - "Zer0Log1x" - ] - } - }, - { - "value": "Chameleon", - "description": "The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Chameleon_botnet" - ], - "date": "2012" - } - }, - { - "value": "Mirai", - "description": "Mirai (Japanese for \"the future\", 未来) is a malware that turns networked devices running Linux into remotely controlled \"bots\" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Mirai_(malware)" - ], - "date": "August 2016" - } - }, - { - "value": "Satori", - "description": "According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/", - "https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant" - ], - "synonyms": [ - "Okiru" - ] - } - }, - { - "value": "BetaBot", - "meta": { - "date": "April 2017" - } - } - ], - "name": "Botnet", - "type": "botnet", - "source": "MISP Project", - "authors": [ - "Various" - ], - "description": "botnet galaxy", - "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f", - "version": 1 -} + "values": [ + { + "value": "ADB.miner", + "description": "A new botnet appeared over the weekend, and it's targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.\n\nThe botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system's native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system's most sensitive features.\n\nOnly devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360's Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/" + ] + }, + "uuid": "6d7fc046-61c8-4f4e-add9-eebe5b5f4f69" + }, + { + "value": "Bagle", + "description": "Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Bagle_(computer_worm)" + ], + "synonyms": [ + "Beagle", + "Mitglieder", + "Lodeight" + ], + "date": "2004" + }, + "uuid": "d530ea76-9bbc-4276-a2e3-df04e0e5a14c" + }, + { + "value": "Marina Botnet", + "description": "Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these \u201chacker tools\u201d could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Botnet" + ], + "synonyms": [ + "Damon Briant", + "BOB.dc", + "Cotmonger", + "Hacktool.Spammer", + "Kraken" + ] + }, + "uuid": "7296f769-9bb7-474d-bbc7-5839f71d052a" + }, + { + "value": "Torpig", + "description": "Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Torpig" + ], + "synonyms": [ + "Sinowal", + "Anserin" + ], + "date": "2005" + }, + "uuid": "415a3667-4ac4-4718-a6ea-617540a4abb1" + }, + { + "value": "Storm", + "description": "The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of \"zombie\" computers (or \"botnet\") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as \"230 dead as storm batters Europe,\" giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Storm_botnet" + ], + "synonyms": [ + "Nuwar", + "Peacomm", + "Zhelatin", + "Dorf", + "Ecard" + ], + "date": "2007" + }, + "uuid": "74ebec0c-6db3-47b9-9879-0d125e413e76" + }, + { + "value": "Rustock", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Rustock_botnet" + ], + "synonyms": [ + "RKRustok", + "Costrat" + ], + "date": "2006" + }, + "uuid": "9bca63cc-f0c7-4704-9c5f-b5bf473a9b43" + }, + { + "value": "Donbot", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Donbot_botnet" + ], + "synonyms": [ + "Buzus", + "Bachsoy" + ] + }, + "uuid": "27a7fd9b-ec9a-4f4a-b3f5-a3b81c71970a" + }, + { + "value": "Cutwail", + "description": "The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Cutwail_botnet" + ], + "synonyms": [ + "Pandex", + "Mutant" + ], + "date": "2007" + }, + "uuid": "35e25aad-7c39-4a1d-aa17-73fa638362e8" + }, + { + "value": "Akbot", + "description": "Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Akbot" + ], + "date": "2007" + }, + "uuid": "6e1168e6-7768-4fa2-951f-6d6934531633" + }, + { + "value": "Srizbi", + "description": "Srizbi BotNet, considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Srizbi_botnet" + ], + "synonyms": [ + "Cbeplay", + "Exchanger" + ], + "date": "March 2007" + }, + "uuid": "6df98396-b52a-4f84-bec2-0060bc46bdbf" + }, + { + "value": "Lethic", + "description": "The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Lethic_botnet" + ], + "date": "2008" + }, + "uuid": "a73e150f-1431-4f72-994a-4000405eff07" + }, + { + "value": "Xarvester", + "meta": { + "refs": [ + "https://krebsonsecurity.com/tag/xarvester/" + ], + "synonyms": [ + "Rlsloup", + "Pixoliz" + ] + }, + "uuid": "e965dd3a-bfd9-4c88-b7a5-a8fc328ac859" + }, + { + "value": "Sality", + "description": "Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Sality" + ], + "synonyms": [ + "Sector", + "Kuku", + "Sality", + "SalLoad", + "Kookoo", + "SaliCode", + "Kukacka" + ], + "date": "2008" + }, + "uuid": "6fe5f49d-48b5-4dc2-92f7-8c94397b9c96" + }, + { + "value": "Mariposa", + "description": "The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the \"Butterfly (mariposa in Spanish) Bot\", making it one of the largest known botnets.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Mariposa_botnet" + ], + "date": "2008" + }, + "uuid": "f4878385-c6c7-4f6b-8637-08146841d2a2" + }, + { + "value": "Conficker", + "description": "Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Conficker" + ], + "synonyms": [ + "DownUp", + "DownAndUp", + "DownAdUp", + "Kido" + ], + "date": "November 2008" + }, + "uuid": "ab49815e-8ba6-41ec-9f51-8a9587334069" + }, + { + "value": "Waledac", + "description": "Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Waledac_botnet" + ], + "synonyms": [ + "Waled", + "Waledpak" + ], + "date": "November 2008" + }, + "uuid": "4e324956-3177-4c8f-b0b6-e3bc4c3ede2f" + }, + { + "value": "Maazben", + "description": "A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/evaluating-botnet-capacity" + ] + }, + "uuid": "a461f744-ab52-4a78-85e4-aedca1303a4c" + }, + { + "value": "Onewordsub", + "meta": { + "refs": [ + "https://www.botnets.fr/wiki/OneWordSub" + ] + }, + "uuid": "4cc97d31-c9ab-4682-aae4-21dcbc02118f" + }, + { + "value": "Gheg", + "description": "Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware \u2013 it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server \u2013 they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).", + "meta": { + "refs": [ + "https://www.cert.pl/en/news/single/tofsee-en/" + ], + "synonyms": [ + "Tofsee", + "Mondera" + ] + }, + "uuid": "ca11e3f2-cda1-45dc-bed1-8708fa9e27a6" + }, + { + "value": "Nucrypt", + "meta": { + "refs": [ + "https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en" + ] + }, + "uuid": "ec9917f4-006b-4a32-9a58-c03b5c85abe4" + }, + { + "value": "Wopla", + "meta": { + "refs": [ + "https://www.botnets.fr/wiki.old/index.php/Wopla" + ] + }, + "uuid": "b2ec8e6b-414d-4d76-b51c-8ba3eee2918d" + }, + { + "value": "Asprox", + "description": "The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Asprox_botnet" + ], + "synonyms": [ + "Badsrc", + "Aseljo", + "Danmec", + "Hydraflux" + ], + "date": "2008" + }, + "uuid": "0d58f329-1356-468c-88ab-e21fbb64c02b" + }, + { + "value": "Spamthru", + "description": "Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine\u2019s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.", + "meta": { + "refs": [ + "http://www.root777.com/security/analysis-of-spam-thru-botnet/" + ], + "synonyms": [ + "Spam-DComServ", + "Covesmer", + "Xmiler" + ] + }, + "uuid": "3da8c2f9-dbbf-4825-9010-2261b2007d22" + }, + { + "value": "Gumblar", + "description": "Gumblar is a malicious JavaScript trojan horse file that redirects a user's Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Gumblar" + ], + "date": "2008" + }, + "uuid": "5b83d0ac-3661-465e-b3ab-ca182d1eacad" + }, + { + "value": "BredoLab", + "description": "The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Bredolab_botnet" + ], + "date": "May 2009", + "synonyms": [ + "Oficla" + ] + }, + "uuid": "65a30580-d542-4113-b00f-7fab98bd046c" + }, + { + "value": "Grum", + "description": "The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's 3rd largest botnet, responsible for 18% of worldwide spam traffic.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Grum_botnet" + ], + "date": "2009", + "synonyms": [ + "Tedroo", + "Reddyb" + ] + }, + "uuid": "a2a601db-2ae7-4695-ac0c-0a3ea8822356" + }, + { + "value": "Mega-D", + "description": "The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Mega-D_botnet" + ], + "synonyms": [ + "Ozdok" + ] + }, + "uuid": "c12537fc-1de5-4d12-ae36-649f32919059" + }, + { + "value": "Kraken", + "description": "The Kraken botnet was the world's largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Kraken_botnet" + ], + "synonyms": [ + "Kracken" + ] + }, + "uuid": "e721809b-2785-4ce3-b95a-7fde2762f736" + }, + { + "value": "Festi", + "description": "The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Festi_botnet" + ], + "date": "August 2009", + "synonyms": [ + "Spamnost" + ] + }, + "uuid": "b76128e3-cea5-4df8-8d23-d9f3305e5a14" + }, + { + "value": "Vulcanbot", + "description": "Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Vulcanbot" + ], + "date": "March 2010" + }, + "uuid": "dfd17a50-65df-4ddc-899e-1052e5001a1f" + }, + { + "value": "LowSec", + "meta": { + "date": "January 2010", + "synonyms": [ + "LowSecurity", + "FreeMoney", + "Ring0.Tools" + ] + }, + "uuid": "533e3474-d08d-4d02-8adc-3765750dd3a3" + }, + { + "value": "TDL4", + "description": "Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system's network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Alureon#TDL-4" + ], + "date": "2010", + "synonyms": [ + "TDSS", + "Alureon" + ] + }, + "uuid": "61a17703-7837-4cc9-b022-b5ed6b30efc1" + }, + { + "value": "Zeus", + "description": "Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Zeus_(malware)" + ], + "synonyms": [ + "Zbot", + "ZeuS", + "PRG", + "Wsnpoem", + "Gorhax", + "Kneber" + ] + }, + "uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28" + }, + { + "value": "Kelihos", + "description": "The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Kelihos_botnet" + ], + "date": "2010", + "synonyms": [ + "Hlux" + ] + }, + "uuid": "07b10419-e8b5-4b5f-a179-77fc9b127dc6" + }, + { + "value": "Ramnit", + "description": "Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Botnet" + ], + "date": "2011" + }, + "uuid": "8ed81090-f098-4878-b87e-2d801b170759" + }, + { + "value": "Zer0n3t", + "meta": { + "date": "2013", + "synonyms": [ + "Fib3rl0g1c", + "Zer0n3t", + "Zer0Log1x" + ] + }, + "uuid": "417c36fb-fff7-40df-8387-07169113b9b4" + }, + { + "value": "Chameleon", + "description": "The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Chameleon_botnet" + ], + "date": "2012" + }, + "uuid": "3084cd06-e415-4ff0-abd0-cf8fbf67c53c" + }, + { + "value": "Mirai", + "description": "Mirai (Japanese for \"the future\", \u672a\u6765) is a malware that turns networked devices running Linux into remotely controlled \"bots\" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Mirai_(malware)" + ], + "date": "August 2016" + }, + "uuid": "fcdfd4af-da35-49a8-9610-19be8a487185" + }, + { + "value": "Satori", + "description": "According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/", + "https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant" + ], + "synonyms": [ + "Okiru" + ] + }, + "uuid": "e77cf495-632a-4459-aad1-cdf29d73683f" + }, + { + "value": "BetaBot", + "meta": { + "date": "April 2017" + }, + "uuid": "3d7c771b-b175-41c9-8ba1-904ef29715fa" + } + ], + "name": "Botnet", + "type": "botnet", + "source": "MISP Project", + "authors": [ + "Various" + ], + "description": "botnet galaxy", + "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f", + "version": 1 +} \ No newline at end of file diff --git a/clusters/branded_vulnerability.json b/clusters/branded_vulnerability.json index 34599aa..e05f460 100644 --- a/clusters/branded_vulnerability.json +++ b/clusters/branded_vulnerability.json @@ -1,142 +1,153 @@ { - "values": [ - { - "value": "Meltdown", - "description": "Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.", - "meta": { - "aliases": [ - "CVE-2017-5754" - ], - "logo": [ - "https://upload.wikimedia.org/wikipedia/commons/thumb/5/56/Meltdown_with_text.svg/300px-Meltdown_with_text.svg.png" - ] - } - }, - { - "value": "Spectre", - "description": "Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.", - "meta": { - "aliases": [ - "CVE-2017-5753", - "CVE-2017-5715" - ], - "logo": [ - "https://en.wikipedia.org/wiki/File:Spectre_with_text.svg" - ] - } - }, - { - "value": "Heartbleed", - "description": "Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.", - "meta": { - "aliases": [ - "CVE-2014–0160" - ], - "logo": [ - "https://upload.wikimedia.org/wikipedia/commons/thumb/d/dc/Heartbleed.svg/440px-Heartbleed.svg.png" - ] - } - }, - { - "value": "Shellshock", - "description": "Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.", - "meta": { - "aliases": [ - "CVE-2014–6271" - ], - "logo": [ - "https://upload.wikimedia.org/wikipedia/commons/thumb/4/44/Shellshock-bug.png/440px-Shellshock-bug.png", - "https://upload.wikimedia.org/wikipedia/commons/8/86/Shellshock.png", - "https://cdn-images-1.medium.com/max/1600/1*bopQcJtKouPOJ_isSzanLw.png" - ] - } - }, - { - "value": "Ghost", - "description": "The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.\nDuring a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.", - "meta": { - "aliases": [ - "CVE-2015–0235" - ], - "logo": [ - "https://cdn-images-1.medium.com/max/1600/1*HnCEOo0RUT1fliJjRT02lA.png" - ] - } - }, - { - "value": "Stagefright", - "description": "Stagefright is the name given to a group of software bugs that affect versions 2.2 (\"Froyo\") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn’t have to do anything to ‘accept’ the bug, it happens in the background. The phone number is the only target information.", - "meta": { - "aliases": [ - "CVE-2015-1538", - "CVE-2015-1539", - "CVE-2015-3824", - "CVE-2015-3826", - "CVE-2015-3827", - "CVE-2015-3828", - "CVE-2015-3829", - "CVE-2015-3864" - ], - "logo": [ - "https://upload.wikimedia.org/wikipedia/en/f/f2/Stagefright_bug_logo.png", - "https://cdn-images-1.medium.com/max/1600/1*-Ivm3lZHNaOUwmklT4Rb1g.png" - ] - } - }, - { - "value": "Badlock", - "description": "Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols[1] supported by Windows and Samba servers.", - "meta": { - "logo": [ - "https://upload.wikimedia.org/wikipedia/commons/thumb/4/4b/Badlock_logo.svg/440px-Badlock_logo.svg.png", - "https://cdn-images-1.medium.com/max/1600/1*EVbwwxEBOU83NKxgQrPG9w.png" - ] - } - }, - { - "value": "Dirty COW", - "description": "Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.", - "meta": { - "aliases": [ - "CVE-2016-5195" - ], - "logo": [ - "https://upload.wikimedia.org/wikipedia/commons/thumb/1/1b/DirtyCow.svg/440px-DirtyCow.svg.png" - ] - } - }, - { - "value": "POODLE", - "description": "The POODLE attack (which stands for \"Padding Oracle On Downgraded Legacy Encryptio\") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated \"September 2014\" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.", - "meta": { - "aliases": [ - "CVE-2014-3566" - ] - } - }, - { - "value": "BadUSB", - "description": "The ‘BadUSB’ vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent." - }, - { - "value": "ImageTragick", - "meta": { - "aliases": [ - "CVE-2016–3714" - ], - "logo": [ - "https://imagetragick.com/img/logo-medium.png" - ] - } - } - ], - "version": 1, - "uuid": "93715a12-f45b-11e7-bcf9-3767161e9ebd", - "description": "List of known vulnerabilities and attacks with a branding", - "authors": [ - "Unknown" - ], - "source": "Open Sources", - "type": "branded-vulnerability", - "name": "Branded Vulnerability" -} + "values": [ + { + "value": "Meltdown", + "description": "Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.", + "meta": { + "aliases": [ + "CVE-2017-5754" + ], + "logo": [ + "https://upload.wikimedia.org/wikipedia/commons/thumb/5/56/Meltdown_with_text.svg/300px-Meltdown_with_text.svg.png" + ] + }, + "uuid": "70bee5b7-0fa3-4a4d-98ee-d8ab787c6db1" + }, + { + "value": "Spectre", + "description": "Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.", + "meta": { + "aliases": [ + "CVE-2017-5753", + "CVE-2017-5715" + ], + "logo": [ + "https://en.wikipedia.org/wiki/File:Spectre_with_text.svg" + ] + }, + "uuid": "36168188-6d14-463a-9713-f88764a83329" + }, + { + "value": "Heartbleed", + "description": "Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.", + "meta": { + "aliases": [ + "CVE-2014\u20130160" + ], + "logo": [ + "https://upload.wikimedia.org/wikipedia/commons/thumb/d/dc/Heartbleed.svg/440px-Heartbleed.svg.png" + ] + }, + "uuid": "d6d85947-e6ee-4d2e-bb48-437f31c7a270" + }, + { + "value": "Shellshock", + "description": "Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.", + "meta": { + "aliases": [ + "CVE-2014\u20136271" + ], + "logo": [ + "https://upload.wikimedia.org/wikipedia/commons/thumb/4/44/Shellshock-bug.png/440px-Shellshock-bug.png", + "https://upload.wikimedia.org/wikipedia/commons/8/86/Shellshock.png", + "https://cdn-images-1.medium.com/max/1600/1*bopQcJtKouPOJ_isSzanLw.png" + ] + }, + "uuid": "2102db77-5a51-40c1-bfc1-38fb7dcb7f05" + }, + { + "value": "Ghost", + "description": "The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.\nDuring a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.", + "meta": { + "aliases": [ + "CVE-2015\u20130235" + ], + "logo": [ + "https://cdn-images-1.medium.com/max/1600/1*HnCEOo0RUT1fliJjRT02lA.png" + ] + }, + "uuid": "a1640081-aa8d-4070-84b2-d23e2ae82799" + }, + { + "value": "Stagefright", + "description": "Stagefright is the name given to a group of software bugs that affect versions 2.2 (\"Froyo\") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed\u2014the user doesn\u2019t have to do anything to \u2018accept\u2019 the bug, it happens in the background. The phone number is the only target information.", + "meta": { + "aliases": [ + "CVE-2015-1538", + "CVE-2015-1539", + "CVE-2015-3824", + "CVE-2015-3826", + "CVE-2015-3827", + "CVE-2015-3828", + "CVE-2015-3829", + "CVE-2015-3864" + ], + "logo": [ + "https://upload.wikimedia.org/wikipedia/en/f/f2/Stagefright_bug_logo.png", + "https://cdn-images-1.medium.com/max/1600/1*-Ivm3lZHNaOUwmklT4Rb1g.png" + ] + }, + "uuid": "352916e7-62bf-4b0c-bce7-da759d1a4f5f" + }, + { + "value": "Badlock", + "description": "Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols[1] supported by Windows and Samba servers.", + "meta": { + "logo": [ + "https://upload.wikimedia.org/wikipedia/commons/thumb/4/4b/Badlock_logo.svg/440px-Badlock_logo.svg.png", + "https://cdn-images-1.medium.com/max/1600/1*EVbwwxEBOU83NKxgQrPG9w.png" + ] + }, + "uuid": "74f2bd2c-69f1-4d28-8d42-94b7ef89f31e" + }, + { + "value": "Dirty COW", + "description": "Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.", + "meta": { + "aliases": [ + "CVE-2016-5195" + ], + "logo": [ + "https://upload.wikimedia.org/wikipedia/commons/thumb/1/1b/DirtyCow.svg/440px-DirtyCow.svg.png" + ] + }, + "uuid": "54196537-cb0c-425c-83d6-437d41b4cc65" + }, + { + "value": "POODLE", + "description": "The POODLE attack (which stands for \"Padding Oracle On Downgraded Legacy Encryptio\") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo M\u00f6ller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated \"September 2014\" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.", + "meta": { + "aliases": [ + "CVE-2014-3566" + ] + }, + "uuid": "22b9af72-48c9-4da1-b13d-15667dbdd998" + }, + { + "value": "BadUSB", + "description": "The \u2018BadUSB\u2019 vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.", + "uuid": "bc3a3299-1443-4390-8b25-4bb280c1abd7" + }, + { + "value": "ImageTragick", + "meta": { + "aliases": [ + "CVE-2016\u20133714" + ], + "logo": [ + "https://imagetragick.com/img/logo-medium.png" + ] + }, + "uuid": "e85e1270-eec5-4331-8004-a063125a54b4" + } + ], + "version": 1, + "uuid": "93715a12-f45b-11e7-bcf9-3767161e9ebd", + "description": "List of known vulnerabilities and attacks with a branding", + "authors": [ + "Unknown" + ], + "source": "Open Sources", + "type": "branded-vulnerability", + "name": "Branded Vulnerability" +} \ No newline at end of file diff --git a/clusters/cert-eu-govsector.json b/clusters/cert-eu-govsector.json index 7c60f29..79b6a30 100644 --- a/clusters/cert-eu-govsector.json +++ b/clusters/cert-eu-govsector.json @@ -1,31 +1,37 @@ { - "values": [ - { - "value": "Constituency" - }, - { - "value": "EU-Centric" - }, - { - "value": "EU-nearby" - }, - { - "value": "World-class" - }, - { - "value": "Unknown" - }, - { - "value": "Outside World" - } - ], - "version": 1, - "uuid": "69351b20-b898-11e7-a2f1-c3e696a74a48", - "description": "Cert EU GovSector", - "authors": [ - "Various" - ], - "source": "CERT-EU", - "type": "cert-seu-gocsector", - "name": "Cert EU GovSector" -} + "values": [ + { + "value": "Constituency", + "uuid": "8ebd301f-067f-499d-8718-f63c8ced73ac" + }, + { + "value": "EU-Centric", + "uuid": "bf3fd6a1-692e-4d77-b17d-496f71eebac9" + }, + { + "value": "EU-nearby", + "uuid": "536dada1-30e5-453a-9611-33597ab5c373" + }, + { + "value": "World-class", + "uuid": "8024aa5d-d0b0-4114-87c9-92e358c96850" + }, + { + "value": "Unknown", + "uuid": "32f8b3dd-defc-47c8-a070-378f5e0e1be8" + }, + { + "value": "Outside World", + "uuid": "adc80f46-86ef-4de8-95d1-15c45c15d002" + } + ], + "version": 1, + "uuid": "69351b20-b898-11e7-a2f1-c3e696a74a48", + "description": "Cert EU GovSector", + "authors": [ + "Various" + ], + "source": "CERT-EU", + "type": "cert-seu-gocsector", + "name": "Cert EU GovSector" +} \ No newline at end of file diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 520a706..43789d0 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -1,599 +1,642 @@ { - "values": [ - { - "value": "Astrum", - "description": "Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It's notable by its use of Steganography", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2014/09/astrum-ek.html", - "http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/" - ], - "synonyms": [ - "Stegano EK" - ], - "status": "Active" - } - }, - { - "value": "Bingo", - "description": "Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia", - "meta": { - "status": "Active" - } - }, - { - "value": "Terror EK", - "description": "Terror EK is built on Hunter, Sundown and RIG EK code", - "meta": { - "refs": [ - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-like-Error-Exploit-Kit/" - ], - "synonyms": [ - "Blaze EK", - "Neptune EK" - ], - "status": "Active" - } - }, - { - "value": "DealersChoice", - "description": "DealersChoice is a Flash Player Exploit platform triggered by RTF.\n\nDealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants — variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/", - "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" - ], - "synonyms": [ - "Sednit RTF EK" - ], - "status": "Active" - } - }, - { - "value": "DNSChanger", - "description": "DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html", - "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices" - ], - "synonyms": [ - "RouterEK" - ], - "status": "Active" - } - }, - { - "value": "Disdain", - "description": "Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula", - "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/" - ], - "status": "Active" - } - }, - { - "value": "Kaixin", - "description": "Kaixin is an exploit kit mainly seen behind compromised website in Asia", - "meta": { - "refs": [ - "http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/", - "http://www.kahusecurity.com/2012/new-chinese-exploit-pack/" - ], - "synonyms": [ - "CK vip" - ], - "status": "Active" - } - }, - { - "value": "Magnitude", - "description": "Magnitude EK", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2013/10/Magnitude.html", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Peek-Into-the-Lion-s-Den-%E2%80%93-The-Magnitude--aka-PopAds--Exploit-Kit/", - "http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html", - "https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood" - ], - "synonyms": [ - "Popads EK", - "TopExp" - ], - "status": "Active" - } - }, - { - "value": "MWI", - "description": "Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it's most often connected to semi-targeted attacks", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html", - "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf" - ], - "status": "Active" - } - }, - { - "value": "RIG", - "description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.", - "meta": { - "refs": [ - "http://www.kahusecurity.com/2014/rig-exploit-pack/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Reloaded---Examining-the-Architecture-of-RIG-Exploit-Kit-3-0/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/", - "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html" - ], - "synonyms": [ - "RIG 3", - "RIG-v", - "RIG 4", - "Meadgive" - ], - "status": "Active" - } - }, - { - "value": "Sednit EK", - "description": "Sednit EK is the exploit kit used by APT28", - "meta": { - "refs": [ - "http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/" - ], - "synonyms": [ - "SedKit" - ], - "status": "Active" - } - }, - { - "value": "Sundown-P", - "description": "Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017, branded as CaptainBlack in August 2017", - "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/promediads-malvertising-sundown-pirate-exploit-kit/" - ], - "synonyms": [ - "Sundown-Pirate", - "CaptainBlack" - ], - "status": "Active" - } - }, - { - "value": "Bizarro Sundown", - "description": "Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features", - "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/", - "https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/" - ], - "synonyms": [ - "Sundown-b" - ], - "status": "Retired" - } - }, - { - "value": "Hunter", - "description": "Hunter EK is an evolution of 3Ros EK", - "meta": { - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers" - ], - "synonyms": [ - "3ROS Exploit Kit" - ], - "status": "Retired - Last seen 2017-02-06" - } - }, - { - "value": "GreenFlash Sundown", - "description": "GreenFlash Sundown is a variation of Bizarro Sundown without landing", - "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/" - ], - "synonyms": [ - "Sundown-GF" - ], - "status": "Active" - } - }, - { - "value": "Angler", - "description": "The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical \"indexm\" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the \"standard\" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC", - "meta": { - "refs": [ - "https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/", - "http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html", - "http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html" - ], - "synonyms": [ - "XXX", - "AEK", - "Axpergle" - ], - "status": "Retired - Last seen: 2016-06-07" - } - }, - { - "value": "Archie", - "description": "Archie EK", - "meta": { - "refs": [ - "https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit" - ], - "status": "Retired" - } - }, - { - "value": "BlackHole", - "description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's arrest (all activity since then is anecdotal and based on an old leak)", - "meta": { - "refs": [ - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/", - "https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/" - ], - "synonyms": [ - "BHEK" - ], - "status": "Retired - Last seen: 2013-10-07" - } - }, - { - "value": "Bleeding Life", - "description": "Bleeding Life is an exploit kit that became open source with its version 2", - "meta": { - "refs": [ - "http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/", - "http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html" - ], - "synonyms": [ - "BL", - "BL2" - ], - "status": "Retired" - } - }, - { - "value": "Cool", - "description": "The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2012/10/newcoolek.html", - "http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/" - ], - "synonyms": [ - "CEK", - "Styxy Cool" - ], - "status": "Retired - Last seen: 2013-10-07" - } - }, - { - "value": "Fiesta", - "description": "Fiesta Exploit Kit", - "meta": { - "refs": [ - "http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an", - "http://www.kahusecurity.com/2011/neosploit-is-back/" - ], - "synonyms": [ - "NeoSploit", - "Fiexp" - ], - "status": "Retired - Last Seen: beginning of 2015-07" - } - }, - { - "value": "Empire", - "description": "The Empire Pack is a variation of RIG operated by a load seller. It's being fed by many traffic actors", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html" - ], - "synonyms": [ - "RIG-E" - ], - "status": "Retired - Last seen: 2016-12-29" - } - }, - { - "value": "FlashPack", - "description": "FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html", - "http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html" - ], - "synonyms": [ - "FlashEK", - "SafePack", - "CritXPack", - "Vintage Pack" - ], - "status": "Retired - Last seen: middle of 2015-04" - } - }, - { - "value": "GrandSoft", - "description": "GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013. Disappeared between march 2014 and September 2017", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html", - "http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html", - "https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/" - ], - "synonyms": [ - "StampEK", - "SofosFO" - ], - "status": "Active" - } - }, - { - "value": "HanJuan", - "description": "Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015", - "meta": { - "refs": [ - "http://www.malwaresigs.com/2013/10/14/unknown-ek/", - "https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack", - "https://twitter.com/kafeine/status/562575744501428226" - ], - "status": "Retired - Last seen: 2015-07" - } - }, - { - "value": "Himan", - "description": "Himan Exploit Kit", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2013/10/HiMan.html" - ], - "synonyms": [ - "High Load" - ], - "status": "Retired - Last seen: 2014-04" - } - }, - { - "value": "Impact", - "description": "Impact EK", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html" - ], - "status": "Retired" - } - }, - { - "value": "Infinity", - "description": "Infinity is an evolution of Redkit", - "meta": { - "refs": [ - "http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html", - "http://www.kahusecurity.com/2014/the-resurrection-of-redkit/" - ], - "synonyms": [ - "Redkit v2.0", - "Goon" - ], - "status": "Retired - Last seen: 2014-07" - } - }, - { - "value": "Lightsout", - "description": "Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex", - "meta": { - "refs": [ - "http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html", - "http://blog.talosintel.com/2014/05/continued-analysis-of-lightsout-exploit.html", - "http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html" - ], - "status": "Unknown - Last seen: 2014-03" - } - }, - { - "value": "Nebula", - "description": "Nebula Exploit Kit has been built on Sundown source and features an internal TDS", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html" - ], - "status": "Retired - Last seen 2017-03-09" - } - }, - { - "value": "Neutrino", - "description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html", - "http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html" - ], - "synonyms": [ - "Job314", - "Neutrino Rebooted", - "Neutrino-v" - ], - "status": "Retired - Last seen 2017-04-10" - } - }, - { - "value": "Niteris", - "description": "Niteris was used mainly to target Russian.", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2014/06/cottoncastle.html", - "http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html" - ], - "synonyms": [ - "CottonCastle" - ], - "status": "Unknown - Last seen: 2015-11" - } - }, - { - "value": "Nuclear", - "description": "The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack", - "meta": { - "refs": [ - "http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/" - ], - "synonyms": [ - "NEK", - "Nuclear Pack", - "Spartan", - "Neclu" - ], - "status": "Retired - Last seen: 2015-04-30" - } - }, - { - "value": "Phoenix", - "description": "Phoenix Exploit Kit", - "meta": { - "refs": [ - "http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/" - ], - "synonyms": [ - "PEK" - ], - "status": "Retired" - } - }, - { - "value": "Private Exploit Pack", - "description": "Private Exploit Pack", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html", - "http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html" - ], - "synonyms": [ - "PEP" - ], - "status": "Retired" - } - }, - { - "value": "Redkit", - "description": "Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer's traffic", - "meta": { - "refs": [ - "https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Wild-Exploit-Kit-Appears----Meet-RedKit/", - "http://malware.dontneedcoffee.com/2012/05/inside-redkit.html", - "https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/" - ], - "status": "Retired" - } - }, - { - "value": "Sakura", - "description": "Sakura Exploit Kit appeared in 2012 and was adopted by several big actor", - "meta": { - "refs": [ - "http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html" - ], - "status": "Retired - Last seen: 2013-09" - } - }, - { - "value": "SPL", - "description": "SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV", - "meta": { - "refs": [ - "http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/" - ], - "status": "Retired - Last seen: 2015-04", - "synonyms": [ - "SPL_Data", - "SPLNet", - "SPL2" - ] - } - }, - { - "value": "Sundown", - "description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html", - "https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road" - ], - "synonyms": [ - "Beps", - "Xer", - "Beta" - ], - "status": "Retired - Last seen 2017-03-08", - "colour": "#C03701" - } - }, - { - "value": "Sweet-Orange", - "description": "Sweet Orange", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html" - ], - "synonyms": [ - "SWO", - "Anogre" - ], - "status": "Retired - Last seen: 2015-04-05" - } - }, - { - "value": "Styx", - "description": "Styx Exploit Kit", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html", - "https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/", - "http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html" - ], - "status": "Retired - Last seen: 2014-06" - } - }, - { - "value": "WhiteHole", - "description": "WhiteHole Exploit Kit appeared in January 2013 in the tail of the CVE-2013-0422", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html" - ], - "status": "Retired - Last seen: 2013-12" - } - }, - { - "value": "Unknown", - "description": "Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.", - "meta": { - "refs": [ - "https://twitter.com/kafeine", - "https://twitter.com/node5", - "https://twitter.com/kahusecurity" - ] - } - } - ], - "version": 6, - "uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01", - "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", - "authors": [ - "Kafeine", - "Will Metcalf", - "KahuSecurity" - ], - "source": "MISP Project", - "type": "exploit-kit", - "name": "Exploit-Kit" -} + "values": [ + { + "value": "Astrum", + "description": "Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It's notable by its use of Steganography", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2014/09/astrum-ek.html", + "http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/" + ], + "synonyms": [ + "Stegano EK" + ], + "status": "Active" + }, + "uuid": "e9ca60cd-94fc-4a54-ac98-30e675a46b3e" + }, + { + "value": "Bingo", + "description": "Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia", + "meta": { + "status": "Active" + }, + "uuid": "9e864c01-3d9e-4b8d-811e-46471ff866e9" + }, + { + "value": "Terror EK", + "description": "Terror EK is built on Hunter, Sundown and RIG EK code", + "meta": { + "refs": [ + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-like-Error-Exploit-Kit/" + ], + "synonyms": [ + "Blaze EK", + "Neptune EK" + ], + "status": "Active" + }, + "uuid": "f15f9264-854e-4e25-8641-cde2faeb86e9" + }, + { + "value": "DealersChoice", + "description": "DealersChoice is a Flash Player Exploit platform triggered by RTF.\n\nDealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants\u2009\u2014\u2009variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" + ], + "synonyms": [ + "Sednit RTF EK" + ], + "status": "Active" + }, + "uuid": "0f116533-a755-4cfc-815a-fa6bcb85efb7" + }, + { + "value": "DNSChanger", + "description": "DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html", + "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices" + ], + "synonyms": [ + "RouterEK" + ], + "status": "Active" + }, + "uuid": "74fb6a14-1279-4a5b-939a-76478d36d3e1" + }, + { + "value": "Disdain", + "description": "Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/" + ], + "status": "Active" + }, + "uuid": "1ded776d-6772-4cc8-a27f-f61e24a58d96" + }, + { + "value": "Kaixin", + "description": "Kaixin is an exploit kit mainly seen behind compromised website in Asia", + "meta": { + "refs": [ + "http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/", + "http://www.kahusecurity.com/2012/new-chinese-exploit-pack/" + ], + "synonyms": [ + "CK vip" + ], + "status": "Active" + }, + "uuid": "e6c1cfcf-3e37-4f5a-9494-989dd8c43d88" + }, + { + "value": "Magnitude", + "description": "Magnitude EK", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/10/Magnitude.html", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Peek-Into-the-Lion-s-Den-%E2%80%93-The-Magnitude--aka-PopAds--Exploit-Kit/", + "http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html", + "https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood" + ], + "synonyms": [ + "Popads EK", + "TopExp" + ], + "status": "Active" + }, + "uuid": "6a313e11-5bb2-40ed-8cde-9de768b783b1" + }, + { + "value": "MWI", + "description": "Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it's most often connected to semi-targeted attacks", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf" + ], + "status": "Active" + }, + "uuid": "489acbf2-d80b-4bb5-ac7d-c8573dcb6324" + }, + { + "value": "RIG", + "description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.", + "meta": { + "refs": [ + "http://www.kahusecurity.com/2014/rig-exploit-pack/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Reloaded---Examining-the-Architecture-of-RIG-Exploit-Kit-3-0/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/", + "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html" + ], + "synonyms": [ + "RIG 3", + "RIG-v", + "RIG 4", + "Meadgive" + ], + "status": "Active" + }, + "uuid": "0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a" + }, + { + "value": "Sednit EK", + "description": "Sednit EK is the exploit kit used by APT28", + "meta": { + "refs": [ + "http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/" + ], + "synonyms": [ + "SedKit" + ], + "status": "Active" + }, + "uuid": "c8b9578a-78be-420c-a29b-9214d09685c8" + }, + { + "value": "Sundown-P", + "description": "Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017, branded as CaptainBlack in August 2017", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/promediads-malvertising-sundown-pirate-exploit-kit/" + ], + "synonyms": [ + "Sundown-Pirate", + "CaptainBlack" + ], + "status": "Active" + }, + "uuid": "3235ae90-598b-45dc-b336-852817b271a8" + }, + { + "value": "Bizarro Sundown", + "description": "Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/", + "https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/" + ], + "synonyms": [ + "Sundown-b" + ], + "status": "Retired" + }, + "uuid": "ef3b170e-3fbe-420b-b202-4689da137c50" + }, + { + "value": "Hunter", + "description": "Hunter EK is an evolution of 3Ros EK", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers" + ], + "synonyms": [ + "3ROS Exploit Kit" + ], + "status": "Retired - Last seen 2017-02-06" + }, + "uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c" + }, + { + "value": "GreenFlash Sundown", + "description": "GreenFlash Sundown is a variation of Bizarro Sundown without landing", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/" + ], + "synonyms": [ + "Sundown-GF" + ], + "status": "Active" + }, + "uuid": "6e5c0dbb-fb0b-45ea-ac6c-bb6d8324bbd2" + }, + { + "value": "Angler", + "description": "The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical \"indexm\" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the \"standard\" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC", + "meta": { + "refs": [ + "https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/", + "http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html", + "http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html" + ], + "synonyms": [ + "XXX", + "AEK", + "Axpergle" + ], + "status": "Retired - Last seen: 2016-06-07" + }, + "uuid": "5daf41c7-b297-4228-85d1-eb040d5b7c90" + }, + { + "value": "Archie", + "description": "Archie EK", + "meta": { + "refs": [ + "https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit" + ], + "status": "Retired" + }, + "uuid": "2756caae-d2c5-4170-9e76-2b7f1b1fccb1" + }, + { + "value": "BlackHole", + "description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's arrest (all activity since then is anecdotal and based on an old leak)", + "meta": { + "refs": [ + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/", + "https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/" + ], + "synonyms": [ + "BHEK" + ], + "status": "Retired - Last seen: 2013-10-07" + }, + "uuid": "e6201dc3-01a7-40c5-ba72-02fa470ada53" + }, + { + "value": "Bleeding Life", + "description": "Bleeding Life is an exploit kit that became open source with its version 2", + "meta": { + "refs": [ + "http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/", + "http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html" + ], + "synonyms": [ + "BL", + "BL2" + ], + "status": "Retired" + }, + "uuid": "5abe6240-dce2-4455-8125-ddae2e651243" + }, + { + "value": "Cool", + "description": "The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2012/10/newcoolek.html", + "http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/" + ], + "synonyms": [ + "CEK", + "Styxy Cool" + ], + "status": "Retired - Last seen: 2013-10-07" + }, + "uuid": "9bb229b0-80f9-48e5-b8fb-00ee7af070cb" + }, + { + "value": "Fiesta", + "description": "Fiesta Exploit Kit", + "meta": { + "refs": [ + "http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an", + "http://www.kahusecurity.com/2011/neosploit-is-back/" + ], + "synonyms": [ + "NeoSploit", + "Fiexp" + ], + "status": "Retired - Last Seen: beginning of 2015-07" + }, + "uuid": "f50f860a-d795-4f4e-a170-8190f65499ad" + }, + { + "value": "Empire", + "description": "The Empire Pack is a variation of RIG operated by a load seller. It's being fed by many traffic actors", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html" + ], + "synonyms": [ + "RIG-E" + ], + "status": "Retired - Last seen: 2016-12-29" + }, + "uuid": "6eb15569-4ddd-4820-9a44-7bca5b303b86" + }, + { + "value": "FlashPack", + "description": "FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html", + "http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html" + ], + "synonyms": [ + "FlashEK", + "SafePack", + "CritXPack", + "Vintage Pack" + ], + "status": "Retired - Last seen: middle of 2015-04" + }, + "uuid": "55a30ccc-8905-4af2-a498-5c0010815cc1" + }, + { + "value": "GrandSoft", + "description": "GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013. Disappeared between march 2014 and September 2017", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html", + "http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html", + "https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/" + ], + "synonyms": [ + "StampEK", + "SofosFO" + ], + "status": "Active" + }, + "uuid": "180b6969-2aca-4642-b684-b57db8f0eff8" + }, + { + "value": "HanJuan", + "description": "Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015", + "meta": { + "refs": [ + "http://www.malwaresigs.com/2013/10/14/unknown-ek/", + "https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack", + "https://twitter.com/kafeine/status/562575744501428226" + ], + "status": "Retired - Last seen: 2015-07" + }, + "uuid": "886abdc6-db1a-4fc5-afe0-e17d65a83614" + }, + { + "value": "Himan", + "description": "Himan Exploit Kit", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/10/HiMan.html" + ], + "synonyms": [ + "High Load" + ], + "status": "Retired - Last seen: 2014-04" + }, + "uuid": "3d0cb558-7f04-4be8-963e-5f137566b07b" + }, + { + "value": "Impact", + "description": "Impact EK", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html" + ], + "status": "Retired" + }, + "uuid": "319357b4-3041-4a71-89c5-51be08041d1b" + }, + { + "value": "Infinity", + "description": "Infinity is an evolution of Redkit", + "meta": { + "refs": [ + "http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html", + "http://www.kahusecurity.com/2014/the-resurrection-of-redkit/" + ], + "synonyms": [ + "Redkit v2.0", + "Goon" + ], + "status": "Retired - Last seen: 2014-07" + }, + "uuid": "4b858835-7b31-4b94-8144-b5175da1551f" + }, + { + "value": "Lightsout", + "description": "Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex", + "meta": { + "refs": [ + "http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html", + "http://blog.talosintel.com/2014/05/continued-analysis-of-lightsout-exploit.html", + "http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html" + ], + "status": "Unknown - Last seen: 2014-03" + }, + "uuid": "244c05f8-1a2f-47fb-9dcf-2eaa99ab6aa1" + }, + { + "value": "Nebula", + "description": "Nebula Exploit Kit has been built on Sundown source and features an internal TDS", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html" + ], + "status": "Retired - Last seen 2017-03-09" + }, + "uuid": "4ca96067-8fdd-4b48-bd34-d2e175e27bad" + }, + { + "value": "Neutrino", + "description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html", + "http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html" + ], + "synonyms": [ + "Job314", + "Neutrino Rebooted", + "Neutrino-v" + ], + "status": "Retired - Last seen 2017-04-10" + }, + "uuid": "218ae39b-2f92-4355-91c6-50cce319d26d" + }, + { + "value": "Niteris", + "description": "Niteris was used mainly to target Russian.", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2014/06/cottoncastle.html", + "http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html" + ], + "synonyms": [ + "CottonCastle" + ], + "status": "Unknown - Last seen: 2015-11" + }, + "uuid": "b344133f-e223-4fda-8fb2-88ad7999e549" + }, + { + "value": "Nuclear", + "description": "The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack", + "meta": { + "refs": [ + "http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/" + ], + "synonyms": [ + "NEK", + "Nuclear Pack", + "Spartan", + "Neclu" + ], + "status": "Retired - Last seen: 2015-04-30" + }, + "uuid": "e7c516f9-5222-4f0d-b80b-ae9f4c24583d" + }, + { + "value": "Phoenix", + "description": "Phoenix Exploit Kit", + "meta": { + "refs": [ + "http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/" + ], + "synonyms": [ + "PEK" + ], + "status": "Retired" + }, + "uuid": "0df2c7a6-046f-4489-8c77-0999c92c839d" + }, + { + "value": "Private Exploit Pack", + "description": "Private Exploit Pack", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html", + "http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html" + ], + "synonyms": [ + "PEP" + ], + "status": "Retired" + }, + "uuid": "cfd0a4af-f559-496f-b56b-97145ea4e4c3" + }, + { + "value": "Redkit", + "description": "Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer's traffic", + "meta": { + "refs": [ + "https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Wild-Exploit-Kit-Appears----Meet-RedKit/", + "http://malware.dontneedcoffee.com/2012/05/inside-redkit.html", + "https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/" + ], + "status": "Retired" + }, + "uuid": "6958ff90-75e8-47ee-ab07-daa8d487130c" + }, + { + "value": "Sakura", + "description": "Sakura Exploit Kit appeared in 2012 and was adopted by several big actor", + "meta": { + "refs": [ + "http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html" + ], + "status": "Retired - Last seen: 2013-09" + }, + "uuid": "12af9112-3ac5-4422-858e-a22c293c6117" + }, + { + "value": "SPL", + "description": "SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV", + "meta": { + "refs": [ + "http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/" + ], + "status": "Retired - Last seen: 2015-04", + "synonyms": [ + "SPL_Data", + "SPLNet", + "SPL2" + ] + }, + "uuid": "15936d30-c151-4051-835e-df327143ce76" + }, + { + "value": "Sundown", + "description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html", + "https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road" + ], + "synonyms": [ + "Beps", + "Xer", + "Beta" + ], + "status": "Retired - Last seen 2017-03-08", + "colour": "#C03701" + }, + "uuid": "670e28c4-001a-4ba4-b276-441620225123" + }, + { + "value": "Sweet-Orange", + "description": "Sweet Orange", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html" + ], + "synonyms": [ + "SWO", + "Anogre" + ], + "status": "Retired - Last seen: 2015-04-05" + }, + "uuid": "222bc508-4d8d-4972-9cac-65192cfefd43" + }, + { + "value": "Styx", + "description": "Styx Exploit Kit", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html", + "https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/", + "http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html" + ], + "status": "Retired - Last seen: 2014-06" + }, + "uuid": "006eaa87-e8a6-4808-93ff-302b52c628b0" + }, + { + "value": "WhiteHole", + "description": "WhiteHole Exploit Kit appeared in January 2013 in the tail of the CVE-2013-0422", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html" + ], + "status": "Retired - Last seen: 2013-12" + }, + "uuid": "570bc715-7fe8-430b-bd2e-5512c95f2370" + }, + { + "value": "Unknown", + "description": "Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.", + "meta": { + "refs": [ + "https://twitter.com/kafeine", + "https://twitter.com/node5", + "https://twitter.com/kahusecurity" + ] + }, + "uuid": "00815961-3249-4e2e-9421-bb57feb73bb2" + } + ], + "version": 6, + "uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01", + "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", + "authors": [ + "Kafeine", + "Will Metcalf", + "KahuSecurity" + ], + "source": "MISP Project", + "type": "exploit-kit", + "name": "Exploit-Kit" +} \ No newline at end of file diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 5c771ea..e9b60ff 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -1,116 +1,125 @@ { - "version": 3, - "uuid": "28b5e55d-acba-4748-a79d-0afa3512689a", - "description": "Activity groups as described by Microsoft", - "authors": [ - "Various" - ], - "source": "MISP Project", - "type": "microsoft-activity-group", - "name": "Microsoft Activity Group actor", - "values": [ - { - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" - ] - }, - "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", - "value": "PROMETHIUM" - }, - { - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" - ] - }, - "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", - "value": "NEODYMIUM" - }, - { - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" - ] - }, - "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", - "value": "TERBIUM" - }, - { - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/", - "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf", - "https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/" - ], - "country": "RU", - "synonyms": [ - "APT 28", - "APT28", - "Pawn Storm", - "Fancy Bear", - "Sednit", - "TsarTeam", - "TG-4127", - "Group-4127", - "Sofacy", - "Grey-Cloud" - ] - }, - "description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. ", - "value": "STRONTIUM" - }, - { - "description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.", - "value": "DUBNIUM", - "meta": { - "refs": [ - "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", - "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", - "https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/", - "https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" - ], - "synonyms": [ - "darkhotel" - ] - } - }, - { - "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.", - "value": "PLATINUM", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/", - "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" - ] - } - }, - { - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" - ] - }, - "description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.", - "value": "BARIUM" - }, - { - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" - ] - }, - "description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD’s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD’s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.", - "value": "LEAD" - }, - { - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/" - ] - }, - "description": "In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit. ", - "value": "ZIRCONIUM" - } - ] -} + "version": 3, + "uuid": "28b5e55d-acba-4748-a79d-0afa3512689a", + "description": "Activity groups as described by Microsoft", + "authors": [ + "Various" + ], + "source": "MISP Project", + "type": "microsoft-activity-group", + "name": "Microsoft Activity Group actor", + "values": [ + { + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + ] + }, + "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features\u2014this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", + "value": "PROMETHIUM", + "uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f" + }, + { + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + ] + }, + "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor\u2019s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", + "value": "NEODYMIUM", + "uuid": "47b5007a-3fb1-466a-9578-629e6e735493" + }, + { + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" + ] + }, + "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", + "value": "TERBIUM", + "uuid": "99784b80-6298-45ba-885c-0ed37bfd8324" + }, + { + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/", + "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf", + "https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/" + ], + "country": "RU", + "synonyms": [ + "APT 28", + "APT28", + "Pawn Storm", + "Fancy Bear", + "Sednit", + "TsarTeam", + "TG-4127", + "Group-4127", + "Sofacy", + "Grey-Cloud" + ] + }, + "description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims\u2019 computer. ", + "value": "STRONTIUM", + "uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec" + }, + { + "description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.", + "value": "DUBNIUM", + "meta": { + "refs": [ + "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", + "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", + "https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/", + "https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" + ], + "synonyms": [ + "darkhotel" + ] + }, + "uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a" + }, + { + "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group\u2019s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.", + "value": "PLATINUM", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/", + "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" + ] + }, + "uuid": "154e97b5-47ef-415a-99a6-2157f1b50339" + }, + { + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" + ] + }, + "description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups\u2014collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims\u2014particularly those working in Business Development or Human Resources\u2014on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant\u2014notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.", + "value": "BARIUM", + "uuid": "cc70bdbd-afa7-4e19-bba2-2443811ef3af" + }, + { + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" + ] + }, + "description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD\u2019s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD\u2019s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD\u2019s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.", + "value": "LEAD", + "uuid": "f542442e-ba0f-425d-b386-6c10351a468e" + }, + { + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/" + ] + }, + "description": "In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit. ", + "value": "ZIRCONIUM", + "uuid": "2d19c573-252b-49d8-8c2e-3b529b91e72d" + } + ] +} \ No newline at end of file diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json index 1f7c71c..ae02067 100644 --- a/clusters/preventive-measure.json +++ b/clusters/preventive-measure.json @@ -1,271 +1,289 @@ { - "values": [ - { - "meta": { - "refs": [ - "http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7." - ], - "complexity": "Medium", - "effectiveness": "High", - "impact": "Low", - "type": [ - "Recovery" - ] - }, - "value": "Backup and Restore Process", - "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore" - }, - { - "meta": { - "refs": [ - "https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US", - "https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter" - ], - "complexity": "Low", - "effectiveness": "High", - "impact": "Low", - "type": [ - "GPO" - ] - }, - "value": "Block Macros", - "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros" - }, - { - "meta": { - "refs": [ - "http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html" - ], - "complexity": "Low", - "effectiveness": "Medium", - "impact": "Medium", - "type": [ - "GPO" - ], - "possible_issues": "Administrative VBS scripts on Workstations" - }, - "value": "Disable WSH", - "description": "Disable Windows Script Host" - }, - { - "meta": { - "complexity": "Low", - "effectiveness": "Medium", - "impact": "Low", - "type": [ - "Mail Gateway" - ] - }, - "value": "Filter Attachments Level 1", - "description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub" - }, - { - "meta": { - "complexity": "Low", - "effectiveness": "High", - "impact": "High", - "type": [ - "Mail Gateway" - ], - "possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) " - }, - "value": "Filter Attachments Level 2", - "description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm" - }, - { - "meta": { - "refs": [ - "http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/", - "http://www.thirdtier.net/ransomware-prevention-kit/" - ], - "complexity": "Medium", - "effectiveness": "Medium", - "impact": "Medium", - "type": [ - "GPO" - ], - "possible_issues": "Web embedded software installers" - }, - "value": "Restrict program execution", - "description": "Block all program executions from the %LocalAppData% and %AppData% folder" - }, - { - "meta": { - "refs": [ - "http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm" - ], - "complexity": "Low", - "effectiveness": "Low", - "impact": "Low", - "type": [ - "User Assistence" - ] - }, - "value": "Show File Extensions", - "description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")" - }, - { - "meta": { - "refs": [ - "https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx" - ], - "complexity": "Low", - "effectiveness": "Medium", - "impact": "Low", - "type": [ - "GPO" - ], - "possible_issues": "administrator resentment" - }, - "value": "Enforce UAC Prompt", - "description": "Enforce administrative users to confirm an action that requires elevated rights" - }, - { - "meta": { - "complexity": "Medium", - "effectiveness": "Medium", - "impact": "Medium", - "type": [ - "Best Practice" - ], - "possible_issues": "Higher administrative costs" - }, - "value": "Remove Admin Privileges", - "description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to." - }, - { - "meta": { - "complexity": "Medium", - "effectiveness": "Low", - "impact": "Low", - "type": [ - "Best Practice" - ] - }, - "value": "Restrict Workstation Communication", - "description": "Activate the Windows Firewall to restrict workstation to workstation communication" - }, - { - "meta": { - "complexity": "Medium", - "effectiveness": "High", - "type": [ - "Advanced Malware Protection" - ] - }, - "value": "Sandboxing Email Input", - "description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis" - }, - { - "meta": { - "complexity": "Medium", - "effectiveness": "Medium", - "type": [ - "3rd Party Tools" - ] - }, - "value": "Execution Prevention", - "description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor" - }, - { - "meta": { - "refs": [ - "https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/" - ], - "complexity": "Low", - "effectiveness": "Medium", - "impact": "Medium", - "type": [ - "GPO" - ], - "possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts." - }, - "value": "Change Default \"Open With\" to Notepad", - "description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer" - }, - { - "meta": { - "refs": [ - "http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm" - ], - "complexity": "Low", - "effectiveness": "Medium", - "impact": "Low", - "type": [ - "Monitoring" - ] - }, - "value": "File Screening", - "description": "Server-side file screening with the help of File Server Resource Manager" - }, - { - "meta": { - "refs": [ - "https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx", - "http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx" - ], - "complexity": "Medium", - "effectiveness": "Medium", - "impact": "Medium", - "type": [ - "GPO" - ], - "possible_issues": "Configure & test extensively" - }, - "value": "Restrict program execution #2", - "description": "Block program executions (AppLocker)" - }, - { - "meta": { - "refs": [ - "www.microsoft.com/emet", - "http://windowsitpro.com/security/control-emet-group-policy" - ], - "complexity": "Medium", - "effectiveness": "Medium", - "impact": "Low", - "type": [ - "GPO" - ] - }, - "value": "EMET", - "description": "Detect and block exploitation techniques" - }, - { - "meta": { - "refs": [ - "https://twitter.com/JohnLaTwC/status/799792296883388416" - ], - "complexity": "Medium", - "effectiveness": "Low", - "impact": "Low", - "type": [ - "3rd Party Tools" - ] - }, - "value": "Sysmon", - "description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring" - }, - { - "value": "Blacklist-phone-numbers", - "description": "Filter the numbers at phone routing level including PABX", - "meta": { - "refs": [ - "https://wiki.freepbx.org/display/FPG/Blacklist+Module+User+Guide#BlacklistModuleUserGuide-ImportingorExportingaBlacklistinCSVFileFormat" - ], - "effectiveness": "Medium", - "impact": "Medium", - "complexity": "Low" - } - } - ], - "name": "Preventive Measure", - "type": "preventive-measure", - "source": "MISP Project", - "authors": [ - "Various" - ], - "description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.", - "uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65", - "version": 3 -} + "values": [ + { + "meta": { + "refs": [ + "http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7." + ], + "complexity": "Medium", + "effectiveness": "High", + "impact": "Low", + "type": [ + "Recovery" + ] + }, + "value": "Backup and Restore Process", + "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schr\u00f6dinger's backup - it is both existent and non-existent until you've tried a restore", + "uuid": "5f942376-ea5b-4b23-9c26-81d3aeba7fb4" + }, + { + "meta": { + "refs": [ + "https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US", + "https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter" + ], + "complexity": "Low", + "effectiveness": "High", + "impact": "Low", + "type": [ + "GPO" + ] + }, + "value": "Block Macros", + "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros", + "uuid": "79563662-8d92-4fd1-929a-9b8926a62685" + }, + { + "meta": { + "refs": [ + "http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html" + ], + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Medium", + "type": [ + "GPO" + ], + "possible_issues": "Administrative VBS scripts on Workstations" + }, + "value": "Disable WSH", + "description": "Disable Windows Script Host", + "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f" + }, + { + "meta": { + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Low", + "type": [ + "Mail Gateway" + ] + }, + "value": "Filter Attachments Level 1", + "description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub", + "uuid": "7055b72b-b113-4f93-8387-e6f58ce5fc92" + }, + { + "meta": { + "complexity": "Low", + "effectiveness": "High", + "impact": "High", + "type": [ + "Mail Gateway" + ], + "possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) " + }, + "value": "Filter Attachments Level 2", + "description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm", + "uuid": "8c9bbbf5-a321-4eb1-8c03-a399a9687687" + }, + { + "meta": { + "refs": [ + "http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/", + "http://www.thirdtier.net/ransomware-prevention-kit/" + ], + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Medium", + "type": [ + "GPO" + ], + "possible_issues": "Web embedded software installers" + }, + "value": "Restrict program execution", + "description": "Block all program executions from the %LocalAppData% and %AppData% folder", + "uuid": "6a234b1d-8e86-49c4-91d6-cc3be3d04f74" + }, + { + "meta": { + "refs": [ + "http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm" + ], + "complexity": "Low", + "effectiveness": "Low", + "impact": "Low", + "type": [ + "User Assistence" + ] + }, + "value": "Show File Extensions", + "description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")", + "uuid": "5b911d46-66c8-4180-ab97-663a0868264e" + }, + { + "meta": { + "refs": [ + "https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx" + ], + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Low", + "type": [ + "GPO" + ], + "possible_issues": "administrator resentment" + }, + "value": "Enforce UAC Prompt", + "description": "Enforce administrative users to confirm an action that requires elevated rights", + "uuid": "3f8c55db-611e-4831-b624-f9cbdc3b0e11" + }, + { + "meta": { + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Medium", + "type": [ + "Best Practice" + ], + "possible_issues": "Higher administrative costs" + }, + "value": "Remove Admin Privileges", + "description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.", + "uuid": "168f94d3-4ffc-4ea6-8f2e-8ba699f0fef6" + }, + { + "meta": { + "complexity": "Medium", + "effectiveness": "Low", + "impact": "Low", + "type": [ + "Best Practice" + ] + }, + "value": "Restrict Workstation Communication", + "description": "Activate the Windows Firewall to restrict workstation to workstation communication", + "uuid": "fb25c345-0cee-4ae7-ab31-c1c801cde1c2" + }, + { + "meta": { + "complexity": "Medium", + "effectiveness": "High", + "type": [ + "Advanced Malware Protection" + ] + }, + "value": "Sandboxing Email Input", + "description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis", + "uuid": "7960740f-71a5-42db-8a1a-1c7ccbf83349" + }, + { + "meta": { + "complexity": "Medium", + "effectiveness": "Medium", + "type": [ + "3rd Party Tools" + ] + }, + "value": "Execution Prevention", + "description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor", + "uuid": "bfda0c9e-1303-4861-b028-e0506dd8861c" + }, + { + "meta": { + "refs": [ + "https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/" + ], + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Medium", + "type": [ + "GPO" + ], + "possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts." + }, + "value": "Change Default \"Open With\" to Notepad", + "description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer", + "uuid": "3b7bc1b2-e04f-4492-b3b1-87bb6701635b" + }, + { + "meta": { + "refs": [ + "http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm" + ], + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Low", + "type": [ + "Monitoring" + ] + }, + "value": "File Screening", + "description": "Server-side file screening with the help of File Server Resource Manager", + "uuid": "79769940-7cd2-4aaa-80da-b90c0372b898" + }, + { + "meta": { + "refs": [ + "https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx", + "http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx" + ], + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Medium", + "type": [ + "GPO" + ], + "possible_issues": "Configure & test extensively" + }, + "value": "Restrict program execution #2", + "description": "Block program executions (AppLocker)", + "uuid": "feb6cddb-4182-4515-94dc-0eadffcdc098" + }, + { + "meta": { + "refs": [ + "www.microsoft.com/emet", + "http://windowsitpro.com/security/control-emet-group-policy" + ], + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Low", + "type": [ + "GPO" + ] + }, + "value": "EMET", + "description": "Detect and block exploitation techniques", + "uuid": "5f0a749f-88f2-4e6e-8fd8-46307f8439f6" + }, + { + "meta": { + "refs": [ + "https://twitter.com/JohnLaTwC/status/799792296883388416" + ], + "complexity": "Medium", + "effectiveness": "Low", + "impact": "Low", + "type": [ + "3rd Party Tools" + ] + }, + "value": "Sysmon", + "description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring", + "uuid": "1b1e5664-4250-459b-adbb-f0b33f64bf7e" + }, + { + "value": "Blacklist-phone-numbers", + "description": "Filter the numbers at phone routing level including PABX", + "meta": { + "refs": [ + "https://wiki.freepbx.org/display/FPG/Blacklist+Module+User+Guide#BlacklistModuleUserGuide-ImportingorExportingaBlacklistinCSVFileFormat" + ], + "effectiveness": "Medium", + "impact": "Medium", + "complexity": "Low" + }, + "uuid": "123e20c5-8f44-4de5-a183-6890788e5a81" + } + ], + "name": "Preventive Measure", + "type": "preventive-measure", + "source": "MISP Project", + "authors": [ + "Various" + ], + "description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.", + "uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65", + "version": 3 +} \ No newline at end of file diff --git a/clusters/ransomware.json b/clusters/ransomware.json index f088473..7d75f13 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -1,8774 +1,9301 @@ { - "authors": [ - "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", - "http://pastebin.com/raw/GHgpWjar" - ], - "values": [ - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/nhtnwcuf-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-OkiR6pVmYUw/WMFiLGPuJhI/AAAAAAAAEME/wccYzFDIzJYWKXVxaTQeB4vM-4X6h3atgCLcB/s1600/note-nhtnwcuf.gif" - ], - "encryption": "AES", - "extensions": [ - "RANDOM 3 LETTERS ARE ADDED" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Nhtnwcuf Ransomware (Fake)" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/cryptojacky-ransomware.html", - "https://twitter.com/jiriatvirlab/status/838779371750031360" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-pSmSehFx0bI/WL8Rp7RoMHI/AAAAAAAAEKw/eyfsAjikl9sDHlcjdyQeRxZsLto4hxvGwCLcB/s1600/note-1-2.png" - ], - "encryption": "AES", - "extensions": [ - "RANDOM 3 LETTERS ARE ADDED" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoJacky Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/kaenlupuf-ransomware.html" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-yTOgGw5v_vo/WMBUGHN7bnI/AAAAAAAAELY/8DDyxB4pSWgje_-iVbXgy2agNty1X6D6ACLcB/s1600/C6TUfkZWAAEewi_.jpg" - ], - "encryption": "AES-128", - "date": "March 2017" - }, - "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Kaenlupuf Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/enjey-crypter-ransomware.html", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2017-spora-cerber-and-technical-writeups/", - "https://www.bleepingcomputer.com/news/security/embittered-enjey-ransomware-developer-launches-ddos-attack-on-id-ransomware/" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-rkOR4L9jDZc/WMG1uI6vqQI/AAAAAAAAEMk/SAu_FleTLHcagf_maS31xt3D_qnwAx2RQCLcB/s1600/note-enjey_2.png" - ], - "encryption": "AES-256", - "extensions": [ - "example:.encrypted.contact_here_me@india.com.enjey" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "EnjeyCrypter Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/dangerous-ransomware.html" - ], - "ransomnotes": [ - "DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com" - ], - "encryption": "AES-128", - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Dangerous Ransomware" - }, - { - "meta": { - "synonyms": [ - "Ŧl๏tєгค гคภร๏๓ฬคгє" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/vortex-ransomware.html", - "https://twitter.com/struppigel/status/839778905091424260" - ], - "ransomnotes": [ - "Vortex Ransomware\nCan not find the files on the hard drive? The contents of the files do not open?This is the result of the work of the program, which encrypts a lot of your data with the help of a strong algorithm AES-256, used by power structures to mask the data transferred in electronic form.The only way to recover your files is to buy a decryption program from us, using a one-time key created for you!When you decide to restore your data, please contact us by e-mail: rsapl@openmailbox.org or poiskiransom@airmail.cc2 files will be decrypted in vain to prove that we can do it, for the others, unfortunately, have to pay!\nPrice for the decryption of all files: $ 199\nAttention! Do not waste your time,time is money, after 4 days the price will increase by 100%!\nIP = ID =" - ], - "extensions": [ - ".aes" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Vortex Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/gc47-ransomware.html" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-i4i0joM4qRk/WMO7sKLu4dI/AAAAAAAAENU/vLR4B1Xg39wduycHe2f0vEYSv_dtJ-gxwCLcB/s1600/note.jpg" - ], - "encryption": "AES-128", - "extensions": [ - ".fuck_you" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "GC47 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/rozalocker-ransomware.html", - "https://twitter.com/jiriatvirlab/status/840863070733885440" - ], - "ransomnotes": [ - "OUR FILES are encrypted (EVEN NOT LOOKING THAT THEY ARE PARTIALLY OPEN). WE HAVE YOUR LOGIN AND PASSWORD FROM THE ENTERTAINMENT, ONE-CLASSICS, ONLINE BANKS AND OTHERS.\nYOU HAVE 6 HOURS TO PAY FOR A PURCHASE FOR THEM, OTHERWISE WE SHOULD PUT INTO OPEN ACCESS!\nINSTRUCTION:\n1) Find 10 000 (10 thousand) rubles, not less. Suitable for the following - (Qiwi, Sberbank, Yandex.Money, Tinkoff Bank, VTB, but better Qiwi (faster)\n2) In the browser, open the site https://x-pay.cc/ - through this site you will transfer money\n3) In the column I DELETE where you will translate (according to item 1) and above enter the amount - 10,000 rubles.\n4) In the RIGHT I select Bitcoin and on top the amount should automatically be transferred tobtc\n5) In the column DATA ENTRY, fill in your requisites from where you will pay and where to transfer (Bitcoin wallet)\nATTENTION-ATTENTION,CORRECTly copy this number to a purse (yes, it's so strange)3FjtFZWjyj46UcfDY4AiUrEv7wLtyzZv5o After inserting, carefully, again check whether it is copied correctly.\n6) Click on GO TO PAY and follow the instructions on the site.\nIn a couple of hours we'll write you on the desktop and return everything to you.\nIf there are difficulties, then write on the mailbox - aoneder@mail.ru" - ], - "encryption": "AES-128", - "extensions": [ - ".enc", - ".ENC" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ", - "value": "RozaLocker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html" - ], - "ransomnotes": [ - "Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the \"Buy Bitcoins\" section and then buy Bitcoin Step 4: Go to the \"Send\" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear 'Check' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites." - ], - "encryption": "AES-128", - "extensions": [ - ".enc" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoMeister Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/gg-ransomware.html" - ], - "encryption": "AES-128", - "extensions": [ - ".GG" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016", - "value": "GG Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/project34-ransomware.html" - ], - "ransomnotes": [ - "(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU", - "ПАРОЛЬ.txt" - ], - "encryption": "AES-128", - "extensions": [ - ".Project34" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Project34 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/petrwrap-ransomware.html", - "https://www.bleepingcomputer.com/news/security/petrwrap-ransomware-is-a-petya-offspring-used-in-targeted-attacks/", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", - "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-ZbWrN1LR-14/WMhPB7M8LBI/AAAAAAAAERQ/ZGG3RDHd8V0hwK_pf-vYChTn9VRpLBgNQCLcB/s1600/petya-based_ru_3.png" - ], - "encryption": "AES-128", - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PetrWrap Ransomware" - }, - { - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", - "https://id-ransomware.blogspot.co.il/2017/03/karmen-ransomware.html", - "https://twitter.com/malwrhunterteam/status/841747002438361089" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-OmuOKzLOHnw/WMl74fSSaJI/AAAAAAAAESg/4CsOYOSuUeEhsO4jSi6k10sbb_1NnfYxACLcB/s1600/lock-screen.jpg" - ], - "encryption": "AES-128", - "extensions": [ - ".grt" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. RaaS, baed on HiddenTear", - "value": "Karmen Ransomware" - }, - { - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", - "https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg", - "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.", - "# !!!HELP_FILE!!! #.txt" - ], - "encryption": "AES-256 + RSA-1024", - "extensions": [ - ".REVENGE" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant", - "value": "Revenge Ransomware" - }, - { - "meta": { - "synonyms": [ - "Fake CTB-Locker" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html", - "https://twitter.com/JakubKroustek/status/842034887397908480" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg", - "FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the \"My Documents\" folder for more information in the file \"Beni Oku.txt\". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss.", - "Beni Oku.txt" - ], - "encryption": "AES", - "extensions": [ - ".encrypted" - ], - "date": "March 2017" - }, - "description": "his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Turkish FileEncryptor Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/kirkspock-ransomware.html", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", - "https://www.bleepingcomputer.com/forums/t/642239/kirk-ransomware-help-support-topic-kirk-extension-ransom-notetxt/", - "http://www.networkworld.com/article/3182415/security/star-trek-themed-kirk-ransomware-has-spock-decryptor-demands-ransom-be-paid-in-monero.html", - "http://www.securityweek.com/star-trek-themed-kirk-ransomware-emerges", - "https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/", - "https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc/analysis/" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png", - "!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don't work. This may have broken some software, including games, office suites etc. Here's a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension '.kirked\n', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named 'pwd' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n\"Logic, motherfucker.\" ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you're still unsure, google' bitcoin exchange'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called 'Spock'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don't fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER", - "RANSOM_NOTE.txt" - ], - "encryption": "AES+RSA", - "extensions": [ - ".kirked", - ".Kirked" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Payments in Monero", - "value": "Kirk Ransomware & Spock Decryptor" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html", - "https://twitter.com/demonslay335?lang=en", - "https://twitter.com/malwrhunterteam/status/842781575410597894" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg", - "ZINO_NOTE.TXT" - ], - "encryption": "AES", - "extensions": [ - ".ZINO" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "ZinoCrypt Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html", - "https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84", - "http://www.fixinfectedpc.com/uninstall-crptxxx-ransomware-from-pc", - "https://twitter.com/malwrhunterteam/status/839467168760725508" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png", - "HOW_TO_FIX_!.txt" - ], - "encryption": "AES", - "extensions": [ - ".crptxxx" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3's UAC bypass", - "value": "Crptxxx Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html", - "https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/", - "https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png", - "motd.txt" - ], - "extensions": [ - ".enc" - ], - "date": "March 2017" - }, - "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "MOTD Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/cryptodevil-ransomware.html", - "https://twitter.com/PolarToffee/status/843527738774507522" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-i5iUwC8XWDo/WM7dSVNQ8UI/AAAAAAAAEVY/uXmUErkLgHcWbfpdw1zGTvwY9DimiAH8wCLcB/s1600/lock-panel.jpg", - "https://1.bp.blogspot.com/-9ovaMSUgtFQ/WM7dXo84tlI/AAAAAAAAEVc/_Zx9gZuvHA0tU9-jtzP492bXa5fQiL7kgCLcB/s1600/key-price.jpg" - ], - "encryption": "AES", - "extensions": [ - ".devil" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoDevil Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html", - "https://twitter.com/struppigel/status/837565766073475072" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png" - ], - "encryption": "AES-256+RSA", - "extensions": [ - ".locked" - ], - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "FabSysCrypto Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/lock2017-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-FllHGqIx_JQ/WL1QF2uMCCI/AAAAAAAAEJQ/Fn-8j2t8dwgSo8YTHM1iOkL-3U_hbcaKwCLcB/s1600/Note_2.png" - ], - "encryption": "AES+RSA", - "extensions": [ - "[file_name.file_ext].id-[UserID]__contact_me_lock2017@protonmail.com_or_lock2017@unseen.is" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Lock2017 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/redants-ransomware.html" - ], - "encryption": "AES", - "extensions": [ - ".Horas-Bah" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "RedAnts Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/consoleapplication1-ransomware.html" - ], - "encryption": "AES", - "extensions": [ - ".locked" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "ConsoleApplication1 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/krider-ransomware.html", - "https://twitter.com/malwrhunterteam/status/836995570384453632" - ], - "encryption": "AES", - "extensions": [ - ".kr3" - ], - "date": "March 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "KRider Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/search?updated-min=2017-01-01T00:00:00-08:00&updated-max=2018-01-01T00:00:00-08:00&max-results=50" - ], - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg", - "value": "CYR-Locker Ransomware (FAKE)" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/dotransomware.html" - ], - "ransomnotes": [ - "DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2 Recommended attacked extensions: *** Recommendation: You need to test builded exe file inside virtual machine, because operability can be broken after crypt/pack of core! \nLinks to website: ***", - "https://4.bp.blogspot.com/-BoKI2-Lhsp8/WLHq34zCtdI/AAAAAAAAECo/YkfIG29vRRsLvdn51ctrMEypptRzZS2IgCLcB/s1600/raas.png" - ], - "encryption": "AES", - "extensions": [ - ".locked" - ], - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "DotRansomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html", - "https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png", - "https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png", - "ReadMe-[3_random_chars].html" - ], - "encryption": "AES", - "extensions": [ - ".locked-[3_random_chars]" - ], - "date": "February 2017" - }, - "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Unlock26 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/pickles-ransomware.html", - "https://twitter.com/JakubKroustek/status/834821166116327425" - ], - "ransomnotes": [ - "READ_ME_TO_DECRYPT.txt" - ], - "encryption": "AES", - "extensions": [ - ".EnCrYpTeD" - ], - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware", - "value": "PicklesRansomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/vanguard-ransomware.html", - "https://twitter.com/JAMESWT_MHT/status/834783231476166657" - ], - "ransomnotes": [ - "NOT YOUR LANGUAGE? https://translate.google.com Your personal files and documents have been encrypted withAES-256 and RSA-2048! Decrypting your files is only possible with decrypt key stored on our server. Price for key is % bitcoin % BTC (Bitcoin).\n1. Send % bitcoin % BTC to % bitcoinaddress % http://www.coindesk.com/information/how-can-i-buy-bitcoins/ https://www.bitcoin.com/buy-bitcoin \n2. Wait some time for transaction to process \n3. PRIVATE KEY WILL BE DOWNLOADED AND SYSTEM WILL AUTOMATICALLY DECRYPT YOUR FILES! \nIf you do not pay within % hoursvalid % hours key will become DESTROYED and your files LOST forever! Removing this software will make recovering files IMPOSSIBLE! Disable your antivirus for safety." - ], - "encryption": "ChaCha20 and Poly1305", - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware", - "value": "Vanguard Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/pyl33t-ransomware.html", - "https://twitter.com/Jan0fficial/status/834706668466405377" - ], - "ransomnotes": [ - "ATTENTION You Have Been Infected With Ransomware. Please Make Note of Your Unique Idenfier : *** " - ], - "encryption": "ChaCha20 and Poly1305", - "extensions": [ - ".d4nk" - ], - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PyL33T Ransomware" - }, - { - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/", - "https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-24th-2017-trump-locker-macos-rw-and-cryptomix/" - ], - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg", - "What happen to my files.txt" - ], - "encryption": "AES-128", - "extensions": [ - ".trumplockerf", - ".TheTrumpLockerf", - ".TheTrumpLockerfp" - ], - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg", - "value": "TrumpLocker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/damage-ransomware.html", - "https://decrypter.emsisoft.com/damage", - "https://twitter.com/demonslay335/status/835664067843014656" - ], - "ransomnotes": [ - "TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com" - ], - "encryption": "AES-128 OR Combination of SHA-1 and Blowfish", - "extensions": [ - ".damage" - ], - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Written in Delphi", - "value": "Damage Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/xyzware-ransomware.html", - "https://twitter.com/malwrhunterteam/status/833636006721122304" - ], - "ransomnotes": [ - "All your files has been encrypted with RSA-2048 and AES-128. There is no way to decrypt without private key and decrypt program. You can buy the private key and the decrypt program just for 0.2 BTC (Bitcoin) You have 48 hours to buy it. After that, your private key will gone and we can't guarantee to decrypt.Email me for more information about how to buy it at cyberking@indonesianbacktrack.or.id" - ], - "encryption": "AES-128", - "extensions": [ - "your files get marked with: “youarefucked”" - ], - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "XYZWare Ransomware" - }, - { - "meta": { - "refs": [ - "https://www.enigmasoftware.com/youarefuckedransomware-removal/" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-S0-Bop8XUgk/WLD_RVgldgI/AAAAAAAAEBU/r2LmgjTHUbMTtIKGH2pHdKfFXcUEOQdMgCLcB/s1600/lock-act2.png" - ], - "encryption": "AES-128", - "extensions": [ - "your files get marked with: “youarefucked”" - ], - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "YouAreFucked Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png", - "How decrypt files.hta" - ], - "encryption": "AES", - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ", - "value": "CryptConsole 2.0 Ransomware" - }, - { - "meta": { - "synonyms": [ - "BarRaxCrypt Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html", - "https://twitter.com/demonslay335/status/835668540367777792" - ], - "encryption": "AES", - "extensions": [ - ".barRex", - ".BarRax" - ], - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "BarRax Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/cryptolocker-by-ntk-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-hvTBarxSO8Y/WKs5kjdpgDI/AAAAAAAAD9Q/m3louiSE6xY0BcGjnWvg_NNDU6K1ok3ggCLcB/s1600/lock.jpg" - ], - "encryption": "AES", - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoLocker by NTK Ransomware" - }, - { - "meta": { - "synonyms": [ - "CzechoSlovak Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/userfileslocker-ransomware.html" - ], - "ransomnotes": [ - "All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)", - "https://3.bp.blogspot.com/-0D8XdlTNIsA/WLXFiBWz5II/AAAAAAAAEFQ/Hojw0BHHysUieiCnidoVwTrqXVCckLkSQCLcB/s1600/lock-screen.jpg" - ], - "encryption": "AES-256+RSA", - "extensions": [ - ".ENCR" - ], - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "UserFilesLocker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017_03_01_archive.html", - "https://id-ransomware.blogspot.co.il/2017/03/avastvirusinfo-ransomware.html" - ], - "encryption": "AES-256+RSA", - "extensions": [ - ".A9v9Ahu4-000" - ], - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!", - "value": "AvastVirusinfo Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/03/suchsecurity-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-OCBIabrrZNg/WLm1RGFVKEI/AAAAAAAAEHY/1MASb-0Y7jsBlE2TzyqgknrfDhuEsNx2gCLcB/s1600/Screenshot_1.png" - ], - "encryption": "AES", - "date": "February 2017" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "SuchSecurity Ransomware" - }, - { - "meta": { - "synonyms": [ - "VHDLocker Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/vhd-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-viZiAZr3_ns/WKrIDWEEBXI/AAAAAAAAD8c/8n1RJ9m2Odoe3bvMMmIm421NdxS-OIRzQCLcB/s1600/note_2.png" - ], - "encryption": "AES-256", - "date": "February 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PleaseRead Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html", - "https://twitter.com/MarceloRivero/status/832302976744173570", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg", - "INSTRUCCIONES.txt" - ], - "extensions": [ - "[KASISKI]" - ], - "date": "February 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Kasiski Ransomware" - }, - { - "meta": { - "synonyms": [ - "Locky Impersonator Ransomware" - ], - "refs": [ - "https://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/", - "https://id-ransomware.blogspot.co.il/2017/02/locky-impersonator.html", - "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/" - ], - "ransomnotes": [ - "Files has been encrypted with Locky Ransomware, Do not alter your files or you will not be able to recover anything nobody will be able to recover your data since its set to AES-256 and requires our Key Send me 1.0 bitcoins Send payment to this Address: 13DYdAKb8nfo1AYeGpJXwKZYupyeqYu2QZ For Instructions on how to Purchase & send bitcoin refer to this link : *** for support Email: lockyransomware666@sigaint.net After 48 Hours your ransom doubles to 2.0 BTC After 72 Hours we will delete your recovery keys" - ], - "encryption": "AES", - "extensions": [ - ".locked" - ], - "date": "February 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Fake Locky Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/cryptoshield-2-ransomware.html", - "https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/" - ], - "ransomnotes": [ - "# RESTORING FILES #.txt", - "# RESTORING FILES #.html", - "https://2.bp.blogspot.com/-A-N9zQgZrhE/WJHAHzuitvI/AAAAAAAADhI/AHkLaL9blZgqQWc-sTevVRTxVRttbugoQCLcB/s1600/note-2.png" - ], - "encryption": "AES(256)/ROT-13", - "extensions": [ - ".CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMix family.", - "value": "CryptoShield 1.0 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/", - "https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/", - "https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png", - "https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png", - "DECRYPT_INFORMATION.html", - "UNIQUE_ID_DO_NOT_REMOVE" - ], - "encryption": "AES", - "extensions": [ - ".locked" - ], - "date": "February 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Filemarker: \"HERMES\"", - "value": "Hermes Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/lovelock-ransomware.html" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-YdCKWLUFBOo/WKRCD2BLzTI/AAAAAAAAD14/BPtYMLvQpEMAbT-ZdiCVPi_LZCrXYJMhwCLcB/s1600/ReadME%2521.txt.jpg" - ], - "encryption": "AES", - "extensions": [ - ".hasp" - ], - "date": "February 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "LoveLock Ransomware or Love2Lock Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/wcry-ransomware.html" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-iUq492KUatk/WKH-GXnO4-I/AAAAAAAADzw/9uwo1LF5ciIvMJ6jAn3mskSqtdiTkxvlACLcB/s1600/lock-note.jpg" - ], - "encryption": "AES", - "extensions": [ - ".wcry" - ], - "date": "February 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Wcry Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/dumb-ransomware.html", - "https://twitter.com/bleepincomputer/status/816053140147597312?lang=en" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-_Udncaac_gM/WKROBN00ORI/AAAAAAAAD2U/HsHkEspG85YSfPg-8MbPYYTYmBU4PAJAgCLcB/s1600/note_2.png", - "https://4.bp.blogspot.com/-Vx9ZtCODajg/WKiMr2QX5cI/AAAAAAAAD64/QAh37o_CRIImaxUfIhoEh8qE4JLn5HaNwCLcB/s1600/dumb.jpg" - ], - "encryption": "AES", - "date": "February 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "DUMB Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017_02_01_archive.html", - "https://id-ransomware.blogspot.co.il/2017/02/x-files-ransomware.html" - ], - "encryption": "AES", - "extensions": [ - ".b0C", - ".b0C.x" - ], - "date": "February 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "X-Files" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/polski-ransomware.html" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-ahpZEI1FHQM/WJd7_dpYlyI/AAAAAAAADm8/4-nFXqc9bjEI93VDJRdsLSlBOwQiaM7swCLcB/s1600/note.jpg" - ], - "encryption": "AES-256", - "extensions": [ - ".aes" - ], - "date": "February 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The Ransom is 249$ and the hacker demands that the victim gets in contact through e-mail and a Polish messenger called Gadu-Gadu.", - "value": "Polski Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html", - "https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/", - "https://twitter.com/_ddoxer/status/827555507741274113" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png", - "README.txt" - ], - "encryption": "AES-256", - "extensions": [ - ".yourransom" - ], - "date": "February 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This hacker demands that the victim contacts him through email and decrypts the files for FREE.(moreinfo in the link below)", - "value": "YourRansom Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/ranion-raas.html", - "https://www.bleepingcomputer.com/news/security/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-ORiqmM6oWXc/WJV7X4IvTWI/AAAAAAAADlE/wXvz5Hsv1gQ-UrLoA1plVjLTVD7iDDxwQCLcB/s1600/buy_2.png" - ], - "encryption": "AES-256", - "date": "February 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below). RaaS service", - "value": "Ranion RaasRansomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/polato-ransomware.html" - ], - "ransomnotes": [ - "How to recover my files.txt", - "README.png", - "README.html", - "https://2.bp.blogspot.com/-E9GDxEoz95k/WIop79nWZ2I/AAAAAAAADZU/CnsvOl96yesoH07BZ2Q05Fp40kLcTMmqQCLcB/s1600/note.jpg" - ], - "encryption": "AES-256", - "extensions": [ - ".potato" - ], - "date": "January 2017" - }, - "description": "Wants a ransom to get the victim’s files back . Originated in English. Spread worldwide.", - "value": "Potato Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/opentodecrypt-ransomware.html" - ], - "ransomnotes": [ - "!!!.txt", - "1.bmp", - "1.jpg", - "https://3.bp.blogspot.com/-RPeHrC9Trqk/WGk1kQlBQQI/AAAAAAAAC6o/FutnWrlUf44hq54_xI_6Uz2migCR0rwlwCLcB/s1600/Note-wallp.jpg", - "Your files are encrypted! To decrypt write on email - opentoyou@india.comIdentification key - 5E1C0884" - ], - "encryption": "RC4", - "extensions": [ - ".-opentoyou@india.com" - ], - "date": "December 2016/January 2017" - }, - "description": "This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", - "value": "of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)" - }, - { - "meta": { - "refs": [ - "http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html", - "https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html", - "https://twitter.com/jiriatvirlab/status/825411602535088129" - ], - "ransomnotes": [ - "YOUR FILES ARE ENCRYPTED!!!.txt", - "https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png", - "YOUR FILES ARE ENCRYPTED!!! To restore (decrypt) them you must:\n1. Pay 0.25 bitcoin (btc) to address 36QLSB*** You can get BTC on this site http://localbitcoins.com \n2. After payment you must send Bitcoin Transacation ID to E-mail: andresaha82@gmail.com Then we will send you decryption tool." - ], - "encryption": "AES", - "extensions": [ - ".encrypted" - ], - "date": "January 2017" - }, - "description": "Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", - "value": "RansomPlus" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html", - "https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/", - "https://twitter.com/PolarToffee/status/824705553201057794" - ], - "ransomnotes": [ - "How decrypt files.hta", - "Your files are encrypted! Your personal ID764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35 Discovered a serious vulnerability in your network security. No data was stolen and no one will be able to do it while they are encrypted. For you we have automatic decryptor and instructions for remediation. How to get the automatic decryptor : \n1) Pay 0,25 BTC Buy BTC on one of these sites: https://localbitcoins.com https://www.coinbase.com https://xchange.cc bitcoin adress for pay: 1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm Send 0,25 BTC \n2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document). \n3) You will receive automatic decryptor and all files will be restored \n* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc... \nAttention! \n• No Payment = No decryption \n• You really get the decryptor after payment \n• Do not attempt to remove the program or run the anti-virus tools \n• Attempts to self-decrypting files will result in the loss of your data \n• Decoders other users are not compatible with your data, because each user's unique encryption key" - ], - "encryption": "AES", - "extensions": [ - ".unCrypte@outlook.com_<random_numbers_and_upper_alphabetic_characters> ", - ".decipher_ne@outlook.com_<random_numbers_and_upper_alphabetic_characters" - ], - "date": "January 2017" - }, - "description": "This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files", - "value": "CryptConsole" - }, - { - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/forums/t/638191/zxz-ransomware-support-help-topic-zxz/?hl=%2Bzxz#entry4168310", - "https://id-ransomware.blogspot.co.il/2017/01/zxz-ransomware.html" - ], - "extensions": [ - ".zxz" - ], - "date": "January 2017" - }, - "description": "Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A", - "value": "ZXZ Ramsomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/vxlock-ransomware.html" - ], - "encryption": "AES+RSA", - "extensions": [ - ".vxlock" - ], - "date": "January 2017" - }, - "description": "Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF… etc", - "value": "VxLock Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/funfact.html", - "http://www.enigmasoftware.com/funfactransomware-removal/" - ], - "ransomnotes": [ - "note.iti", - "Important Information!!!! You had bad luck. All your files are encrypted with RSA and AES ciphers. to get your files back read carefully. if you do not understand, Read again. All your documents are recoverable only with our software and key file. To decrypt files you need to contact worldfunfact@sigaint.org or funfacts11@tutanota.com and set your ID as email title and send clsign.dll file from your computer. That is the key file and yes, it’s encrypted. Search your computer for filename “clsign.dll” attach it to email. if you wish we will decrypt one of your encrypted file for free! It’s your guarantee. After you made payment you will receive decryption software with key and necessary instructions. if you don’t contact us within 72 hours we will turn on sanctions. you’ll have to pay more. Recovery is only possible during 7 days. after that don’t contact us. Remember you are just single payment away from all your files If your files are urgent pay exactly requested amount to Bitcoin (BTC) address and send clsign.dll file to us. We will send your decryption software within 24 hours; remember if you contact us first maybe you’ll have to pay less\nUser ID: 658061***\nBTC Address: 1AQrj***\nAmount(BTC): 1.65806\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion:\nGnuPG\nv2\n*******************************\n-----END PGP PUBLIC KEY BLOCK-----" - ], - "encryption": "AES+RSA", - "date": "January 2017" - }, - "description": "Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.", - "value": "FunFact Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/06/zekwacrypt-ransomware.html", - "http://www.2-spyware.com/remove-zekwacrypt-ransomware-virus.html" - ], - "ransomnotes": [ - "encrypted_readme.txt", - "__encrypted_readme.txt", - "https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png", - "WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com" - ], - "encryption": "AES+RSA", - "extensions": [ - ".<7_random_letters>" - ], - "date": "January 2017" - }, - "description": "First spotted in May 2016, however made a big comeback in January 2017. It’s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", - "value": "ZekwaCrypt Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html", - "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", - "http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom", - "https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/", - "https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-generation-algorithm-ipga" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png", - "https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png", - "!Recovery_[3_random_chars].html" - ], - "encryption": "AES", - "extensions": [ - ".sage" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker", - "value": "Sage 2.0 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/cloudsword.html", - "http://bestsecuritysearch.com/cloudsword-ransomware-virus-removal-steps-protection-updates/", - "https://twitter.com/BleepinComputer/status/822653335681593345" - ], - "ransomnotes": [ - "Warning警告.html", - "https://4.bp.blogspot.com/-OTxFEWf7LiY/WIO0rJmBgJI/AAAAAAAADTQ/U3BLcd2-CPQQ_73eIKIyg28cKFmw4nctgCLcB/s1600/note.jpg" - ], - "encryption": "AES", - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", - "value": "CloudSword Ransomware" - }, - { - "meta": { - "synonyms": [ - "Fake" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/dn-donotopen.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-llR46G5zOBE/WIJuTTHImXI/AAAAAAAADS8/Ww_QU1Z7Q3geZgiSStJB3siO3oQJpIcowCLcB/s1600/note.jpg", - "https://4.bp.blogspot.com/-ilIaUD5qOuk/WIJuV1TuC1I/AAAAAAAADTA/SOj8St_qXMsgDexK1BGgZT0yFDkNDz_7QCLcB/s1600/lock.jpg" - ], - "encryption": "AES", - "extensions": [ - ".killedXXX" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!", - "value": "DN" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/garryweber.html" - ], - "ransomnotes": [ - "HOW_OPEN_FILES.html", - "https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg" - ], - "encryption": "AES", - "extensions": [ - ".id-_garryweber@protonmail.ch" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc..", - "value": "GarryWeber Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html", - "https://www.bleepingcomputer.com/forums/t/637811/satan-ransomware-help-support-topic-stn-extension-help-decrypt-fileshtml/", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/", - "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", - "https://twitter.com/Xylit0l/status/821757718885236740" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png", - "HELP_DECRYPT_FILES.html" - ], - "encryption": "AES-256 + RSA-2048", - "extensions": [ - ".stn" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS", - "value": "Satan Ransomware" - }, - { - "meta": { - "synonyms": [ - "HavocCrypt Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/havoc-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-Xs7yigomWw8/WH0mqn0QJLI/AAAAAAAADKA/0Fk5QroMsgQ3AsXbHsbVtopcJN4qzDgdACLcB/s1600/note.jpg" - ], - "encryption": "AES", - "extensions": [ - ".HavocCrypt" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..", - "value": "Havoc" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/cryptosweettooth.html", - "http://sensorstechforum.com/remove-cryptosweettooth-ransomware-restore-locked-files/" - ], - "ransomnotes": [ - "IMPORTANTE_LEER.html", - "RECUPERAR_ARCHIVOS.html", - "https://3.bp.blogspot.com/-KE6dziEK4To/WHnvPzKOs7I/AAAAAAAADHI/KPBjmO9iChgAa12-f1VOxF49Pv27-0XfQCLcB/s1600/note.jpg" - ], - "encryption": "AES", - "extensions": [ - ".locked" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Its fake name is Bitcoin and maker’s name is Santiago. Work of the encrypted requires the user to have .NET Framework 4.5.2. on his computer.", - "value": "CryptoSweetTooth Ransomware" - }, - { - "meta": { - "synonyms": [ - "RansomTroll Ransomware", - "Käändsõna Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html", - "https://twitter.com/BleepinComputer/status/819927858437099520" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png", - "You have been struck by the holy Kaandsona ransomware Either you pay 1 BTC in 24 hours or you lose ALL FILES \nbutton 'Show all encrypted files' \nbutton 'PAY'" - ], - "encryption": "AES", - "extensions": [ - ".kencf" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts", - "value": "Kaandsona Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/lambdalocker.html", - "http://cfoc.org/how-to-restore-files-affected-by-the-lambdalocker-ransomware/" - ], - "ransomnotes": [ - "READ_IT.hTmL", - "https://1.bp.blogspot.com/-B3o6bGziu_M/WHkyueI902I/AAAAAAAADGw/la7psCE9JEEe17GipFh69xVnIDYGFF38wCLcB/s1600/note-1-2.gif" - ], - "encryption": "AES-256", - "extensions": [ - ".lambda_l0cked" - ], - "date": "January 2017" - }, - "description": "It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware", - "value": "LambdaLocker Ransomware" - }, - { - "meta": { - "synonyms": [ - "HakunaMatataRansomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/hakunamatata.html", - "https://id-ransomware.blogspot.co.il/2016_03_01_archive.html" - ], - "ransomnotes": [ - "Recovers files yako.html", - "https://4.bp.blogspot.com/-DUXeyyzqwKs/WHkrGvLyFvI/AAAAAAAADGg/SPfrNMZYGs8edE7X5z-3MBroIqS5GQ8kACLcB/s1600/note_1-str_2.png" - ], - "encryption": "AES", - "extensions": [ - ".HakunaMatata" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "NMoreia 2.0 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/marlboro.html", - "https://decrypter.emsisoft.com/marlboro", - "https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png", - "https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png", - "_HELP_Recover_Files_.html" - ], - "encryption": "XOR", - "extensions": [ - ".oops" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it’s just XOR)", - "value": "Marlboro Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html", - "https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware", - "http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png", - "[Infection-ID].HTML" - ], - "encryption": "AES+RSA", - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png", - "value": "Spora Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/cryptokill-ransomware.html" - ], - "encryption": "AES+RSA", - "extensions": [ - ".crypto" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files get encrypted, but the decrypt key is not available. NO POINT OF PAYING THE RANSOM, THE FILES WILL NOT BE RETURNED.", - "value": "CryptoKill Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/allyourdocuments-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png" - ], - "extensions": [ - "AES+RSA" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "All_Your_Documents Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/serbransom-2017.html", - "https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/", - "https://twitter.com/malwrhunterteam/status/830116190873849856" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-OY8jgTN5Y9Q/WKAI6a9xfMI/AAAAAAAADwc/ng36hAXsvfYQ5rdkSFeVgEvLY88pJmnWACLcB/s1600/note-html-wallp.jpg", - "https://3.bp.blogspot.com/-DQQ5tk0C9lY/WKALND0dYPI/AAAAAAAADwo/EuKiO_F0Mn0ImrGLVE-Sks-j93pHoTjKACLcB/s1600/konstr.jpg" - ], - "encryption": "AES", - "extensions": [ - ".velikasrbija" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 500$ in bitcoins. The name of the hacker is R4z0rx0r Serbian Hacker.", - "value": "SerbRansom 2017 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/fadesoft-ransomware.html", - "https://twitter.com/malwrhunterteam/status/829768819031805953", - "https://twitter.com/malwrhunterteam/status/838700700586684416" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-5t-5eBl4Tng/WKARmYV5GVI/AAAAAAAADxA/OuS7Eo__z1sh2tRbBpQIxJQ6IVbSiQakwCLcB/s1600/lock-note.jpg" - ], - "encryption": "AES", - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 0.33 bitcoins.", - "value": "Fadesoft Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/hugeme-ransomware.html", - "https://www.ozbargain.com.au/node/228888?page=3", - "https://id-ransomware.blogspot.co.il/2016/04/magic-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-kolk6sABFzQ/WJ95ddcAxNI/AAAAAAAADwI/oP8ZFD7KnqoQWgpfgEHId843x3l0xfhjACLcB/s1600/note_2.png" - ], - "encryption": "AES-256 + RSA-2048", - "extensions": [ - ".encypted" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "HugeMe Ransomware" - }, - { - "meta": { - "synonyms": [ - "DynA CryptoLocker Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/dyna-crypt-ransomware.html", - "https://www.bleepingcomputer.com/news/security/dyna-crypt-not-only-encrypts-your-files-but-also-steals-your-info/" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg" - ], - "encryption": "AES-256 + RSA-2048", - "extensions": [ - ".crypt" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "DynA-Crypt Ransomware" - }, - { - "meta": { - "synonyms": [ - "Serpent Danish Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/serpent-danish-ransomware.html" - ], - "ransomnotes": [ - "==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====\n================ PLEASE READ THIS MESSAGE CAREFULLY ================\n Your documents, photos, videos, databases and other important files have been encrypted! The files have been encrypted using AES256 and RSA2048 encryption (unbreakable) To decrypt your files you need to buy the special software 'SerpentDecrypter'.You can buy this software on one of the websites below. xxxx://vdpbkmwbnp.pw/00000000-00000000-00000000-00000000 xxxx://hnxrvobhgm.pw/00000000-00000000-00000000-00000000 If the websites above do not work you can use a special website on the TOR network. Follow the steps below\n1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads\n2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/00000000-00000000-00000000-00000000 \n3. Follow the instructions to buy 'Serpent Decrypter'\n================ PLEASE READ THIS MESSAGE CAREFULLY ================" - ], - "encryption": "AES-256 + RSA-2048", - "extensions": [ - ".crypt" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Serpent 2017 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html", - "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg", - "README.HTML" - ], - "encryption": "ROT-23", - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Erebus 2017 Ransomware" - }, - { - "meta": { - "synonyms": [ - "Ransomuhahawhere" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/ransomuhahawhere.html" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-7KRVg6kt418/WJnwxDOV5NI/AAAAAAAADrk/or9DbPMl-7ksN7OwIAH6BMJwE5fGc_BfgCLcB/s1600/note_2.png" - ], - "extensions": [ - ".locked" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Cyber Drill Exercise " - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/cancer-ransomware.html", - "https://www.bleepingcomputer.com/news/security/watch-your-computer-go-bonkers-with-cancer-trollware/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-ozPs6mwKfEI/WJjTwbrOx9I/AAAAAAAADqE/4gewG-f_dLQQDevajtn8CnX69lvWgCZQACLcB/s1600/wallp.jpg" - ], - "extensions": [ - ".cancer" - ], - "date": "February 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.", - "value": "Cancer Ransomware FAKE" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/02/updatehost-ransomware.html", - "https://www.bleepingcomputer.com/startups/Windows_Update_Host-16362.html" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-BOmKmroIvEI/WJn-LAUmyyI/AAAAAAAADsI/W987TEaOnEAd45AOxO1cFyFvxEx_RfehgCLcB/s1600/note_2.png" - ], - "encryption": "AES", - "extensions": [ - ".locked" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Microsoft Copyright 2017 and requests ransom in bitcoins.", - "value": "UpdateHost Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/nemesis-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-dLSbqOiIbLU/WHPh-akYinI/AAAAAAAADC0/6nFQClDBJ5M7ZhrjkhnxfkdboOh7SlE-ACLcB/s1600/v5YZMxt.jpg" - ], - "encryption": "AES", - "extensions": [ - ".v8dp" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 10 bitcoins.", - "value": "Nemesis Ransomware" - }, - { - "meta": { - "synonyms": [ - "File0Locked KZ Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/evil-ransomware.html", - "http://www.enigmasoftware.com/evilransomware-removal/", - "http://usproins.com/evil-ransomware-is-lurking/", - "https://twitter.com/jiriatvirlab/status/818443491713884161", - "https://twitter.com/PolarToffee/status/826508611878793219" - ], - "ransomnotes": [ - "HOW_TO_DECRYPT_YOUR_FILES.TXT", - "HOW_TO_DECRYPT_YOUR_FILES.HTML", - "https://3.bp.blogspot.com/-0NFy_yDghZ0/WHO_ClbPdMI/AAAAAAAADCQ/RX2cgYg3z381gro6UUQtAED7JgXHbvGLgCLcB/s1600/note-txt_2.png", - "https://4.bp.blogspot.com/-xxJ9xdRuWis/WHO_FL-hWcI/AAAAAAAADCU/VqI02AhzopQY1WKk-k6QYSdHFWFzg1NcACLcB/s1600/note_2.png" - ], - "encryption": "AES", - "extensions": [ - ".file0locked", - ".evillock" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript", - "value": "Evil Ransomware" - }, - { - "meta": { - "synonyms": [ - "Ocelot Locker Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/ocelot-ransomware.html", - "https://twitter.com/malwrhunterteam/status/817648547231371264" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-3iMAtqvAmts/WHEyA_dW5OI/AAAAAAAADAY/tE5FtaVMJcc3aQQvWI4XOdjtvbXufFgywCLcB/s1600/lock1.jpg", - "https://3.bp.blogspot.com/-DMxJm5GT0VY/WHEyEOi_vZI/AAAAAAAADAc/6Zi3IBuBz1I7jdQHcSrzhUGagGCUfs6iACLcB/s1600/lock2.jpg" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.", - "value": "Ocelot Ransomware (FAKE RANSOMWARE)" - }, - { - "meta": { - "synonyms": [ - "Blablabla Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/skyname-ransomware.html", - "https://twitter.com/malwrhunterteam/status/817079028725190656" - ], - "ransomnotes": [ - "INFOK1.txt", - "https://1.bp.blogspot.com/-i4ksJq-UzX8/WHFFXQL5wAI/AAAAAAAADA8/awfsqj1lr7IMBAPtE0tB44PNf1N6zkGDwCLcB/s1600/note_2.png", - "https://1.bp.blogspot.com/-OlKgHvtAUHg/WHFDCx4thaI/AAAAAAAADAw/wzBXV17Xh-saaFGlrxw3CDNhGSTaVe2dQCLcB/s1600/lock1.jpg" - ], - "encryption": "AES", - "date": "January 2017" - }, - "description": "It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "SkyName Ransomware" - }, - { - "meta": { - "synonyms": [ - "Depsex Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/mafiaware.html", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/", - "https://twitter.com/BleepinComputer/status/817069320937345024" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png", - "READ_ME.txt" - ], - "encryption": "AES", - "extensions": [ - ".locked-by-mafia" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear", - "value": "MafiaWare Ransomware" - }, - { - "meta": { - "synonyms": [ - "Purge Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/globe3-ransomware.html", - "https://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/", - "https://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/", - "https://decryptors.blogspot.co.il/2017/01/globe3-decrypter.html", - "https://decrypter.emsisoft.com/globe3" - ], - "ransomnotes": [ - "How To Recover Encrypted Files.hta", - "https://2.bp.blogspot.com/-Wk1_IdcEHbk/WG6FVnoaKlI/AAAAAAAAC-4/WeHzJAUJ0goxxuAoGUUebSgzGHrnD6LQQCLcB/s1600/Globe-ransom-note_2.png.png", - "https://3.bp.blogspot.com/-lYkopoRH0wQ/WHOt1KhhzhI/AAAAAAAADCA/nPdhHK3wEucAK1GHodeh5w3HcpdugzSHwCLcB/s1600/globe3-9-1-17.png" - ], - "encryption": "AES-256+RSA or RC4", - "extensions": [ - ".badnews", - ".globe", - ".[random].bit", - ".[random].encrypted", - ".[random].raid10", - ".[random].globe", - ".[mia.kokers@aol.com]", - ".unlockv@india.com", - ".rescuers@india.com.3392cYAn548QZeUf.lock", - ".locked", - ".decrypt2017", - ".hnumkhotep" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.", - "value": "Globe3 Ransomware" - }, - { - "meta": { - "synonyms": [ - "FireCrypt Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/bleedgreen-ransomware.html", - "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-np8abNpYeoU/WG1KX4_H0yI/AAAAAAAAC98/gxRJeDb01So5yTboXYP7sZWurJFBbWziACLcB/s1600/note-html.jpg" - ], - "encryption": "AES-256", - "extensions": [ - ".firecrypt" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg", - "value": "BleedGreen Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/btcamant.html" - ], - "ransomnotes": [ - "BTC_DECRYPT_FILES.txt", - "BTC_DECRYPT_FILES.html", - "https://2.bp.blogspot.com/-uiHluU553MU/WGzoFpEWkfI/AAAAAAAAC9o/M34ndwHUsoEfZiLJv9j4PCgBImS8oyYaACLcB/s1600/note_2.png" - ], - "encryption": "AES", - "extensions": [ - ".BTC" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Original name is Mission 1996 or Mission: “Impossible” (1996) (like the movie)", - "value": "BTCamant Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/x3m-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-hMAakgAORvg/WG_i-lk09II/AAAAAAAADAI/Uq2iCHC5ngYzeVcuxQF0mcbrLqyOGcA_wCLcB/s1600/note.png" - ], - "encryption": "AES", - "extensions": [ - "_x3m", - "_r9oj", - "_locked" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. It is also possible to break in using RDP Windows with the help of Pass-the-Hash system, PuTTY, mRemoteNG, TightVNC, Chrome Remote Desktop, modified version of TeamViewer, AnyDesk, AmmyyAdmin, LiteManager, Radmin and others. Ransom is 700$ in Bitcoins.", - "value": "X3M Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/gog-ransomware.html", - "https://twitter.com/BleepinComputer/status/816112218815266816" - ], - "ransomnotes": [ - "DecryptFile.txt", - "https://4.bp.blogspot.com/-cAnilnXjK7k/WG_OHhC_UdI/AAAAAAAAC_4/sdbzTx9hP4sryM7xE59ONdk7Zr8D_m6XwCLcB/s1600/note-txt_2.png", - "https://1.bp.blogspot.com/-TDK91s7FmNM/WGpcwq5HmwI/AAAAAAAAC8Q/i0Q66vE7m-0kmrKPXWdwnYQg6Eaw2KSDwCLcB/s1600/note-pay_2.png" - ], - "encryption": "AES", - "extensions": [ - ".LOCKED" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "GOG Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/edgelocker-ransomware.html", - "https://twitter.com/BleepinComputer/status/815392891338194945" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-dNBgohC1UYg/WGnXhem546I/AAAAAAAAC7w/Wv0Jy4173xsBJDZPLMxe6lXBgI5BkY4BgCLcB/s1600/note-lock.jpg" - ], - "encryption": "AES", - "extensions": [ - ".edgel" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.", - "value": "EdgeLocker" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/red-alert-ransomware.html", - "https://twitter.com/JaromirHorejsi/status/815557601312329728" - ], - "ransomnotes": [ - "MESSAGE.txt", - "https://1.bp.blogspot.com/-tDS74fDwB1Q/WGk2D5DcUYI/AAAAAAAAC6s/vahju5JD9B4chwnNDUvDPp4ejZOxnj_awCLcB/s1600/note-wallp.jpg" - ], - "encryption": "AES", - "extensions": [ - ".locked" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation. Based on HiddenTear", - "value": "Red Alert" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/first-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-T0PhVuoFSyA/WGk5mYkRFAI/AAAAAAAAC64/j14Pt84YUmQMNa_5LSEn6fZ5CoYqz60swCLcB/s1600/note-lock.jpg" - ], - "encryption": "AES", - "extensions": [ - ".locked" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "First" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html", - "https://twitter.com/JakubKroustek/status/825790584971472902" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg", - "Xhelp.jpg" - ], - "encryption": "Twofish", - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Written on Delphi. The user requests the victim to get in touch with him through ICQ to get the ransom and return the files.", - "value": "XCrypt Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/7zipper-ransomware.html", - "https://1.bp.blogspot.com/-ClM0LCPjQuk/WI-BgHTpdNI/AAAAAAAADc8/JyEQ8-pcJmsXIntuP-MMdE-pohVncxTXQCLcB/s1600/7-zip-logo.png" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-BR0DvtIft7g/WI95IF7IdUI/AAAAAAAADck/gzWAMbpFvaYicHFuMzvlM3YGJpgulMQBQCLcB/s1600/note_2.png" - ], - "encryption": "Twofish", - "extensions": [ - ".7zipper" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "7Zipper Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/zyka-ransomware.html", - "https://www.pcrisk.com/removal-guides/10899-zyka-ransomware", - "https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip", - "https://twitter.com/GrujaRS/status/826153382557712385" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-SF4RsOANlI0/WJBQd4SJv6I/AAAAAAAADdY/hI-Ncw9FoFMi5jvljUftpzTgdykOfR3vgCLcB/s1600/lock-wallp_2.png.png" - ], - "encryption": "AES", - "extensions": [ - ".lock", - ".locked" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 170$ or EUR in Bitcoins.", - "value": "Zyka Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/sureransom-ransomware.html", - "http://www.forbes.com/sites/leemathews/2017/01/27/fake-ransomware-is-tricking-people-into-paying/#777faed0381c" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-zShnOIf3R_E/WJBfhC4CdSI/AAAAAAAADdo/6l4hwSOmI0Evj4W0Esj1S_uNOy5Yq6X0QCLcB/s1600/note1-2-3.gif" - ], - "encryption": "AES-256 (fake)", - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to strike worldwide. This ransomware does not really encrypt your files. Ransom requested is £50 using credit card.", - "value": "SureRansom Ransomeware (Fake)" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2017/01/netflix-ransomware.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/", - "https://www.bleepingcomputer.com/news/security/rogue-netflix-app-spreads-netix-ransomware-that-targets-windows-7-and-10-users/", - "http://www.darkreading.com/attacks-breaches/netflix-scam-spreads-ransomware/d/d-id/1328012", - "https://4.bp.blogspot.com/-bQQ4DTIClvA/WJCIh6Uq2nI/AAAAAAAADfY/hB5HcjuGgh8rRJKeLHo__IRz3Ezth22-wCEw/s1600/form1.jpg", - "https://4.bp.blogspot.com/-ZnWdPDprJOg/WJCPeCtP4HI/AAAAAAAADfw/kR0ifI1naSwTAwSuOPiw8ZCPr0tSIz1CgCLcB/s1600/netflix-akk.png" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-vODt2aB9Hck/WJCFc3g5eCI/AAAAAAAADe8/OrEVkqUHMU4swRWedoZuBu50AWoKR1FGACLcB/s1600/netflix-note.jpg", - "https://4.bp.blogspot.com/-Cw4e1drBKl4/WJCHmgp1vtI/AAAAAAAADfI/QqFxUsuad" - ], - "encryption": "AES-256", - "extensions": [ - ".se" - ], - "date": "January 2017" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.", - "value": "Netflix Ransomware" - }, - { - "meta": { - "synonyms": [ - "Merry X-Mas", - "MRCR" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/mrcr1-ransomware.html", - "https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/", - "http://www.zdnet.com/article/not-such-a-merry-christmas-the-ransomware-that-also-steals-user-data/", - "https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/", - "https://decrypter.emsisoft.com/mrcr" - ], - "ransomnotes": [ - "YOUR_FILES_ARE_DEAD.HTA", - "MERRY_I_LOVE_YOU_BRUCE.HTA", - "https://2.bp.blogspot.com/-3F3QAZnDxsI/WGpvD4wZ2OI/AAAAAAAAC80/-2L6dIPqsgs8hZHOX0T6AFf5LwPwfZ-rwCLcB/s1600/note.png", - "https://4.bp.blogspot.com/-_w8peyLMcww/WHNJ1Gb0qeI/AAAAAAAADBw/EVbR-gKipYoNujo-YF6VavafsUfWDANEQCLcB/s1600/8-1-17.png" - ], - "encryption": "AES-256", - "extensions": [ - ".MRCR1", - ".PEGS1", - ".RARE1", - ".RMCM1", - ".MERRY" - ], - "date": " December 2016" - }, - "description": "It’s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that’s coming from Federal Trade Commission from USA, with an attached file called “complaint.pdf”. Written in Delphi by hacker MicrRP.", - "value": "Merry Christmas" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/seoirse-ransomware.html" - ], - "encryption": "AES", - "extensions": [ - ".seoire" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Seoirse is how in Ireland people say the name George. Ransom is 0.5 Bitcoins.", - "value": "Seoirse Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/killdisk-ransomware.html", - "https://www.bleepingcomputer.com/news/security/killdisk-ransomware-now-targets-linux-prevents-boot-up-has-faulty-encryption/", - "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/", - "http://www.zdnet.com/article/247000-killdisk-ransomware-demands-a-fortune-forgets-to-unlock-files/", - "http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware", - "http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/", - "https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-8MqANWraAgE/WGT7mj-XirI/AAAAAAAAC3g/H_f1hTxa7Sc_DEtllBe-vYaAfY-YqMelgCLcB/s1600/wallp.png" - ], - "encryption": "AES-256+RSA", - "date": "November/December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.", - "value": "KillDisk Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html", - "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif", - "unlock-everybody.txt" - ], - "encryption": "AES", - "extensions": [ - ".deria" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Maker is arizonacode and ransom amount is 20-30$. If the victim decides to pay the ransom, he will have to copy HWID and then speak to the hacker on Skype and forward him the payment.", - "value": "DeriaLock Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html", - "https://twitter.com/demonslay335/status/813064189719805952" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png", - "More.html" - ], - "encryption": "AES", - "extensions": [ - ".bript" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "BadEncript Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/adamlocker-ransomware.html" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-9IgXt6L0hLY/WGARdzJgfvI/AAAAAAAACyQ/1bfnX_We65AirDcAFpiG49NPuBMfGH9wwCLcB/s1600/note-adam.jpg" - ], - "encryption": "AES", - "extensions": [ - ".adam" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the creator is puff69.", - "value": "AdamLocker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/alphabet-ransomware.html", - "https://twitter.com/PolarToffee/status/812331918633172992" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-bFPI3O1BI3s/WGPpvnDvNNI/AAAAAAAAC10/mLUiFOCWnEkjbV91PmUGnc3qsFMv9um8QCLcB/s1600/wallp.jpg" - ], - "encryption": "AES", - "extensions": [ - ".alphabet" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.", - "value": "Alphabet Ransomware" - }, - { - "meta": { - "synonyms": [ - "KokoLocker Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/kokokrypt-ransomware.html", - "http://removevirusadware.com/tips-for-removeing-kokokrypt-ransomware/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-NiQ6rSIprB8/WF-uxTMq6hI/AAAAAAAACyA/tA6qO3aJdGc0Dn_I-IOZOM3IwN5rgq9sACLcB/s1600/note-koko.jpg" - ], - "encryption": "AES", - "extensions": [ - ".kokolocker" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru", - "value": "KoKoKrypt Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/l33taf-locker-ransomware.html" - ], - "ransomnotes": [ - "YOU_HAVE_BEEN_HACKED.txt", - "https://2.bp.blogspot.com/-yncl7-Jy198/WGDjdgNKXjI/AAAAAAAACzA/bfkDgwWEGKggUG3E1tgPBAWDXwi-p-7AwCLcB/s1600/note_2.png" - ], - "encryption": "AES-256+RSA", - "extensions": [ - ".l33tAF" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.5 bitcoins. The name of the creator is staffttt, he also created Fake CryptoLocker", - "value": "L33TAF Locker Ransomware" - }, - { - "meta": { - "synonyms": [ - "PClock SysGop Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/pclock4-sysgop-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-T9Mt0pE7kwY/WF7NKAPfv1I/AAAAAAAACxw/gOjxeSR0x7EurKQTI2p6Ym70ViYuYdsvQCLcB/s1600/note_2.png" - ], - "encryption": "AES-256+RSA", - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam (for example: “you have a criminal case against you”), fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PClock4 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/guster-ransomware.html", - "https://twitter.com/BleepinComputer/status/812131324979007492" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-0-kDVCM-kuI/WGVH-d2trGI/AAAAAAAAC4A/4LlxFpwkhEk89QcJ5ZhO1i-T6dQ_RcVegCEw/s1600/guster-note-2.jpg" - ], - "encryption": "AES-256+RSA", - "extensions": [ - ".locked" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses VBS-script to send a voice message as the first few lines of the note.", - "value": "Guster Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/roga-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-ZIWywQMf2mY/WGJD-rqLZYI/AAAAAAAACzQ/p5PWlpWyHjcVHKq74DOsE7yS-ornW48_QCLcB/s1600/note.jpg" - ], - "encryption": "AES", - "extensions": [ - ".madebyadam" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker requests the ransom in Play Store cards. https://3.bp.blogspot.com/-ClUef8T55f4/WGKb8U4GeaI/AAAAAAAACzg/UFD0X2sORHYTVRNBSoqd5q7TBrOblQHmgCLcB/s1600/site.png", - "value": "Roga" - }, - { - "meta": { - "synonyms": [ - "Fake CryptoLocker" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/cryptolocker3-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-LDSJ7rws1WI/WGDR-oDSshI/AAAAAAAACyw/_Kn0mnjpm2YN5tS9YldEnca-zOLJpXjcACLcB/s1600/crypto1-2.gif" - ], - "encryption": "AES-128+RSA", - "extensions": [ - ".cryptolocker" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Creator is staffttt and the ransom is 0.5 botcoins.", - "value": "CryptoLocker3 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/proposalcrypt-ransomware.html", - "http://www.archersecuritygroup.com/what-is-ransomware/", - "https://twitter.com/demonslay335/status/812002960083394560", - "https://twitter.com/malwrhunterteam/status/811613888705859586" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-TkMikT4PA3o/WFrb4it2u9I/AAAAAAAACww/_zZgu9EHBj8Ibar8i5ekwaowGBD8EoOygCLcB/s1600/note.jpg" - ], - "encryption": "AES", - "extensions": [ - ".crypted" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 1.0 bitcoins.", - "value": "ProposalCrypt Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/manifestus-ransomware.html", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-23rd-2016-cryptxxx-koolova-cerber-and-more/", - "https://twitter.com/struppigel/status/811587154983981056" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-85wiBKXIqro/WFrFOaNeSsI/AAAAAAAACwA/UyrPc2bKQCcznmtLTFkEfc6lEvhseyRYACLcB/s1600/lock1.jpg" - ], - "encryption": "AES", - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker demands 0.2 bitcoins. The ransomware poses as a Window update.", - "value": "Manifestus Ransomware " - }, - { - "meta": { - "synonyms": [ - "IDRANSOMv3", - "Manifestus" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/enkripsipc-ransomware.html", - "https://twitter.com/demonslay335/status/811343914712100872", - "https://twitter.com/BleepinComputer/status/811264254481494016", - "https://twitter.com/struppigel/status/811587154983981056" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-owEtII_eezA/WFmOp0ccjaI/AAAAAAAACvk/gjYcSeflS4AChm5cYO5c3EV4aSmzr14UwCLcB/s1600/enc100.gif" - ], - "encryption": "AES", - "extensions": [ - ".fucked" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the hacker is humanpuff69 and he requests 0.5 bitcoins. The encryption password is based on the computer name", - "value": "EnkripsiPC Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/braincrypt-ransomware.html" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-KrKO1vYs-1w/WFlw6bOfI_I/AAAAAAAACug/42w1VSl2GIoxRuA2SPKJr6xYp3c4OBnJQCLcB/s1600/note_2.png", - "https://3.bp.blogspot.com/-8bxTSAADM7M/WFmBEu-eUXI/AAAAAAAACvU/xaQBufV5a-4GWEJhXj2VVLqXnTjQJYNrwCLcB/s1600/note-brain2.jpg" - ], - "encryption": "AES", - "extensions": [ - ".braincrypt" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. So far the victims are from Belarus and Germany.", - "value": "BrainCrypt Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html", - "https://twitter.com/struppigel/status/810766686005719040" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-R-lKbH_tLvs/WGPRa-hCtqI/AAAAAAAAC1Y/zgKYZmys_jciaYhtTUsVLen5IHX8_LyiACLcB/s1600/note_2.png", - "RESTORE_YOUR_FILES.txt" - ], - "encryption": "AES", - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.2 bitcoins.", - "value": "MSN CryptoLocker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/cryptoblock-ransomware.html", - "https://twitter.com/drProct0r/status/810500976415281154" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-4Y7GZEsWh7A/WFfnmQFF7nI/AAAAAAAACsQ/j3rXZmWrDxMM6xhV1s4YVl_WLDe28cpAwCLcB/s1600/001.jpg" - ], - "encryption": "RSA-2048", - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is in the amount is 0.3 bitcoins. The ransomware is disguises themselves as Adobe Systems, Incorporated. RaaS", - "value": "CryptoBlock Ransomware " - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/aes-ni-ransomware.html" - ], - "ransomnotes": [ - "!!! READ THIS -IMPORTANT !!!.txt", - "https://4.bp.blogspot.com/-GdF-kk1j9-8/WFl6NVm3PAI/AAAAAAAACvE/guFIi_FUpgIQNzX-usJ8CpofX45eXPvkQCLcB/s1600/note_2.png" - ], - "encryption": "AES-256 (ECB) + RSA-2048", - "extensions": [ - ".aes256" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "AES-NI Ransomware " - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/koolova-ransomware.html", - "https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-free-if-you-read-two-articles-about-ransomware/" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-kz7PePfAiLI/WGTpY3us5LI/AAAAAAAAC3A/wu1rkx-BWlMzglJXXmCxeuYzbZKN5FP4gCLcB/s1600/koolova-v2.png" - ], - "encryption": "AES-256", - "extensions": [ - ".encrypted" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker of this ransomware tends to make lots of spelling errors in his requests. With Italian text that only targets the Test folder on the user's desktop", - "value": "Koolova Ransomware" - }, - { - "meta": { - "synonyms": [ - "Globe Imposter", - "GlobeImposter" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/", - "https://twitter.com/fwosar/status/812421183245287424", - "https://decrypter.emsisoft.com/globeimposter", - "https://twitter.com/malwrhunterteam/status/809795402421641216" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg", - "HOW_OPEN_FILES.hta" - ], - "encryption": "AES", - "extensions": [ - ".crypt" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 1bitcoin.", - "value": "Fake Globe Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/v8locker-ransomware.html" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-Acmbpw6fEaQ/WFUFKU9V9ZI/AAAAAAAACqc/47AceoWZzOwP9qO8uenjNVOVXeFJf7DywCLcB/s1600/note_2.png" - ], - "encryption": "RSA", - "extensions": [ - ".v8" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", - "value": "V8Locker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/cryptorium-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-I0fsQu2YXMI/WFLb9LPdkFI/AAAAAAAACoY/xqRhgO1o98oruVDMC6rO4RxCk5MFDSTYgCLcB/s1600/lock.jpg" - ], - "encryption": "RSA", - "extensions": [ - ".ENC" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc., however your files are not really encrypted, only the names are changed.", - "value": "Cryptorium (Fake Ransomware)" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/antihacker2017-ransomware.html" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-k7iDPgj17Zo/WFKEfMvR4wI/AAAAAAAACn4/8irB4Tf1x_MjfTmWaAjuae6mFJbva6GcwCLcB/s1600/note.jpg" - ], - "encryption": "XOR", - "extensions": [ - ".antihacker2017" - ], - "date": "December 2016" - }, - "description": "It’s directed to Russian speaking users, there fore is able to infect mosty the old USSR countries. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc … The hacker goes by the nickname Antihacker and requests the victim to send him an email for the decryption. He does not request any money only a warning about looking at porn (gay, incest and rape porn to be specific).", - "value": "Antihacker2017 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/cia-special-agent-767-ransomware.html", - "https://www.bleepingcomputer.com/virus-removal/remove-cia-special-agent-767-screen-locker", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-16th-2016-samas-no-more-ransom-screen-lockers-and-more/", - "https://guides.yoosecurity.com/cia-special-agent-767-virus-locks-your-pc-screen-how-to-unlock/" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-6I7jtsp5Wi4/WFLqnfUvg5I/AAAAAAAACow/BCOv7etYxxwpIERR1Qs5fmJ2wKBx3sqmACLcB/s1600/screen-locker.png" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect users all over the world. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Your files are not really encrypted and nothing actually happens, however the hacker does ask the victim to pay a sum of 100$, after 5 days the sum goes up to 250$ and thereafter to 500$. After the payment is received, the victim gets the following message informing him that he has been fooled and he simply needed to delete the note. https://4.bp.blogspot.com/-T8iSbbGOz84/WFGZEbuRfCI/AAAAAAAACm0/SO8Srwx2UIM3FPZcZl7W76oSDCsnq2vfgCPcB/s1600/code2.jpg", - "value": "CIA Special Agent 767 Ransomware (FAKE!!!)" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/loveserver-ransomware.html" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-LY1A0aeA_c0/WFEduvkiNQI/AAAAAAAACjk/B2-nFQoExscMVvZqvCaf9R4z_C6-rSdvACLcB/s1600/note2.png.png" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker request your IP address in return for the decryption.", - "value": "LoveServer Ransomware " - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/kraken-ransomware.html" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-E4brsgJRDHA/WFBU7wPaYLI/AAAAAAAACjU/sLEkzMiWp5wuc8hpFbylC7lLVMhftCLGgCLcB/s1600/111m.png", - "https://2.bp.blogspot.com/-b5caw8XAvIQ/WFBUuOto40I/AAAAAAAACjQ/_yzwIU17BHw4Ke4E3wM_XBI1XfnAvGSZQCLcB/s1600/005.png", - "_HELP_YOUR_FILES.html" - ], - "encryption": "AES", - "extensions": [ - ".kraken", - "[base64].kraken" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The hacker requests 2 bitcoins in return for the files.", - "value": "Kraken Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/antix-ransomware.html" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-6iMtvGe3T58/WE8Ftx7zcUI/AAAAAAAACiE/2ISTxSYzgKEgnfQ7FSUWo3BiCeVLHH_uwCLcB/s1600/note.jpg" - ], - "encryption": "AES", - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 0.25 bitcoins and the nickname of the hacker is FRC 2016.", - "value": "Antix Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html", - "https://twitter.com/BleepinComputer/status/808316635094380544" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-MWEyG49z2Qk/WE78wLqCXPI/AAAAAAAAChw/SIlQSe_o_wMars2egfZ7VqKfWuan6ThwQCLcB/s1600/note1.jpg", - "!!!!!ATENÇÃO!!!!!.html" - ], - "encryption": "AES-256", - "extensions": [ - ".sexy" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is R$950 which is due in 5 days. (R$ is a Brazilian currency) Based off of Hidden-Tear", - "value": "PayDay Ransomware " - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/slimhem-ransomware.html" - ], - "encryption": "AES-256", - "extensions": [ - ".encrypted" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is NOT spread using email spam, fake updates, attachments and so on. It simply places a decrypt file on your computer.", - "value": "Slimhem Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/m4n1f3sto-ransomware.html" - ], - "ransomnotes": [ - "I want to play a game with you. Let me explain the rules. Your personal files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access therm. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when i start the next time you will het 1000 files deleted as punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together! Send 0.3 bitcoins to this adress to unlock your Pc with your email adress Your can purchase bitcoins from localbitcoins", - "https://3.bp.blogspot.com/-9MsC3A3tuUA/WFGZM45Pw5I/AAAAAAAACms/NbDFma30D9MpK2Zc0O6NvDizU8vqUWWlwCLcB/s1600/M4N1F3STO.jpg" - ], - "encryption": "AES-256", - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… FILES DON’T REALLY GET DELETED NOR DO THEY GET ENCRYPTED!!!!!!!", - "value": "M4N1F3STO Ransomware (FAKE!!!!!)" - }, - { - "meta": { - "synonyms": [ - "DaleLocker Ransomware" - ], - "encryption": "AES+RSA-512", - "extensions": [ - ".DALE" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… CHIP > DALE", - "value": "Dale Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/ultralocker-ransomware.html", - "https://twitter.com/struppigel/status/807161652663742465" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-DOjKnuzCMo8/WE1Xd8yksiI/AAAAAAAACfo/d93v2xn857gQDg4o5Rd4oZpP3q-Ipv9xgCLcB/s1600/UltraLocker.png" - ], - "encryption": "AES-256", - "extensions": [ - ".locked (added before the ending, not to the ending, for example: file.locked.doc" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Based on the idiotic open-source ransomware called CryptoWire", - "value": "UltraLocker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/aeskeygenassist-ransomware.html", - "https://id-ransomware.blogspot.co.il/2016/09/dxxd-ransomware.html", - "https://www.bleepingcomputer.com/forums/t/634258/aes-key-gen-assistprotonmailcom-help-support/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-6NIoKnSTwcs/WExcV900C_I/AAAAAAAACfI/_Hba3mOwk3UQ0T5rGercOglMsCTjVtCnQCLcB/s1600/note2.png" - ], - "encryption": "AES-256 and RSA-2048", - "extensions": [ - ".pre_alpha" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", - "value": "AES_KEY_GEN_ASSIST Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/code-virus-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-Lyd1uRKG-94/WFJ3TbNqWfI/AAAAAAAACnc/4LoazYU0S1s1YRz3Xck3LN1vOm5RwIpugCLcB/s1600/note.jpg", - "https://4.bp.blogspot.com/-eBeh1lzEYsI/WFJ4l1oJ4fI/AAAAAAAACno/P5inceelNNk-zfkJGhE3XNamOGC8YmBwwCLcB/s1600/str123.gif" - ], - "encryption": "AES-256 and RSA-2048", - "extensions": [ - ".locky" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Code Virus Ransomware " - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/flkr-ransomware.html" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-Fh2I6542zi4/WEpmphY0i1I/AAAAAAAACe4/FBP3J6UraBMkSMTWx2tm-FRYnmlYLtFWgCLcB/s1600/note2.png.png" - ], - "encryption": "Blowfish", - "extensions": [ - "_morf56@meta.ua_" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "FLKR Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/popcorntime-ransomware.html", - "https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-WxtRn5yVcNw/WEmgAPgO4AI/AAAAAAAACeo/M7iS6L8pSOEr8EUDkCK_g6h0aMKQQXfGwCLcB/s1600/note2.png", - "https://3.bp.blogspot.com/-sLwR-6y2M-I/WEmVIdJuPMI/AAAAAAAACeY/gpQDT-2-d7kkrfTHgiEZCfxViHu7dNE7ACLcB/s1600/med.jpg", - "restore_your_files.html", - "restore_your_files.txt" - ], - "encryption": "AES-256", - "extensions": [ - ".kok", - ".filock" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. These hackers claim to be students from Syria. This ransomware poses as the popular torrent movie screener called PopCorn. These criminals give you the chance to retrieve your files “for free” by spreading this virus to others. Like shown in the note bellow: https://www.bleepstatic.com/images/news/ransomware/p/Popcorn-time/refer-a-friend.png", - "value": "PopCorn Time Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/hackedlocker-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-G-xrI4N08hs/WFJjQgB3ojI/AAAAAAAACnM/DEfy_skSg044UmbBfNodiQY4OaLkkQPOwCLcB/s1600/note-hacked.jpg" - ], - "encryption": "AES-256", - "extensions": [ - ".hacked" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… NO POINT OF PAYING THE RANSOM—THE HACKER DOES NOT GIVE A DECRYPT AFTERWARDS.", - "value": "HackedLocker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/goldeneye-ransomware.html", - "https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/", - "https://www.bleepingcomputer.com/forums/t/634778/golden-eye-virus/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-qcJxWivTx1w/WEcEW14om5I/AAAAAAAACa4/xLAlsQGZjeg7Zlg3F2fQAcgQ_6b_cNQLACLcB/s1600/goldeneye-1.jpg", - "https://4.bp.blogspot.com/-avE8liOWdPY/WEcEbdTxx6I/AAAAAAAACa8/KOKgXzU1h2EJ0tTOKMdQzZ_JdWWNeFMdwCLcB/s1600/goldeneye-1-2.jpg" - ], - "encryption": "AES(CBC)", - "extensions": [ - "." - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", - "value": "GoldenEye Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/sage-ransomware.html", - "https://www.bleepingcomputer.com/forums/t/634978/sage-file-sample-extension-sage/", - "https://www.bleepingcomputer.com/forums/t/634747/sage-20-ransomware-sage-support-help-topic/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-GasUzax8cco/WEar0U0tPqI/AAAAAAAACZw/6V_1JFxLMH0UnmLa3-WZa_ML9JbxF0JYACEw/s1600/note-txt2.png" - ], - "encryption": "AES", - "extensions": [ - ".sage" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", - "value": "Sage Ransomware" - }, - { - "meta": { - "synonyms": [ - "VO_ Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/12/sq-vo-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-Lhq40sgYUpI/WEWpGkkWOKI/AAAAAAAACZQ/iOp9g9Ya0Fk9vZrNKwTEMVcEOzKFIwqgACLcB/s1600/english-2.png" - ], - "encryption": "AES and RSA-1024", - "extensions": [ - ".VO_" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker requests 4 bitcoins for ransom.", - "value": "SQ_ Ransomware" - }, - { - "meta": { - "synonyms": [ - "Malta Ransomware" - ], - "refs": [ - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/", - "https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html", - "https://twitter.com/rommeljoven17/status/804251901529231360" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png", - "[5 numbers]-MATRIX-README.RTF" - ], - "encryption": "AES and RSA", - "extensions": [ - ".MATRIX" - ], - "date": "December 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", - "value": "Matrix" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/satan666-ransomware.html" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-anaLWyg_iJI/WFaxDs8KI3I/AAAAAAAACro/yGXh3AV-ZpAKmD4fpQbBkAyYXXnkqgR3ACLcB/s1600/note666_2.png" - ], - "encryption": "AES", - "extensions": [ - ".locked" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Satan666 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html", - "https://twitter.com/BleepinComputer/status/804810315456200704" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-D-j_9_LZen0/WEPq4G5w5FI/AAAAAAAACXs/GTnckI3CGYQxuDMPXBzpGXDtarPK8yJ5wCLcB/s1600/note_2.PNG", - "Important!.txt" - ], - "encryption": "AES-256", - "extensions": [ - ".R.i.P" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "RIP (Phoenix) Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/novalid-ransomware.html", - "https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/", - "https://twitter.com/struppigel/status/807169774098796544" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-BK_31ORE0ZY/WD284cEVoLI/AAAAAAAACWA/bU0n3MBMD8Mbgzv9bD6VLJb51Q_kr5AJgCLcB/s1600/note.jpg", - "RESTORE_CORUPTED_FILES.HTML" - ], - "encryption": "AES-256", - "extensions": [ - ".novalid" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on RemindMe", - "value": "Locked-In Ransomware or NoValid Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/chartwig-ransomware.html" - ], - "encryption": "AES", - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Chartwig Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/renlocker-ransomware.html" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-281TI8xvMLo/WDw2Nl72OsI/AAAAAAAACTk/nT_rL0z-Exo93FzoOXnyaFgQ7wPe0r7IgCLcB/s1600/Crypter1.jpg" - ], - "encryption": "Rename > Ren + Locker", - "extensions": [ - ".crypter" - ], - "date": "November 2016" - }, - "description": "It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files don’t actually get encrypted, their names get changed using this formula: [www-hash-part-]+[number]+[.crypter]", - "value": "RenLocker Ransomware (FAKE)" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/thanksgiving-ransomware.html", - "https://id-ransomware.blogspot.co.il/2016/07/stampado-ransomware-1.html", - "https://twitter.com/BleepinComputer/status/801486420368093184" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-2dC_gQTed4o/WDxRSh_R-MI/AAAAAAAACT4/yWxzCcMqN_8GLjd8dOPf6Mw16mkbfALawCLcB/s1600/lblMain.png" - ], - "encryption": "AES", - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Thanksgiving Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/cockblocker-ransomware.html", - "https://twitter.com/jiriatvirlab/status/801910919739674624" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/--45C2Cr8sXc/WDiWLTvW-ZI/AAAAAAAACSA/JnJNRr8Kti0YqSnfhPQBF2rsFf-au1g9ACLcB/s1600/Cockblocke.gif" - ], - "encryption": "RSA", - "extensions": [ - ".hannah" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CockBlocker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/lomix-ransomware.html", - "https://twitter.com/siri_urz/status/801815087082274816" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-nXv88GxxOvQ/WE1gqeD3ViI/AAAAAAAACf4/wcVwQ9Pi_JEP2iWNHoBGmeXKJFsfwmwtwCLcB/s1600/Lomix.png" - ], - "encryption": "AES-256", - "extensions": [ - ".encrypted" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on the idiotic open-source ransomware called CryptoWire", - "value": "Lomix Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html", - "https://decrypter.emsisoft.com/ozozalocker", - "https://twitter.com/malwrhunterteam/status/801503401867673603" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-r-vBnl-wLwo/WDg7fHph9BI/AAAAAAAACRc/VuMxWa1nUPIGHCzhCf2AyL_uc7Z9iB6MACLcB/s1600/note_2.PNG", - "HOW TO DECRYPT YOU FILES.txt" - ], - "encryption": "AES", - "extensions": [ - ".locked", - ".Locked" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. https://3.bp.blogspot.com/--jubfYRaRmw/WDaOyZXkAaI/AAAAAAAACQE/E63a4FnaOfACZ07s1xUiv_haxy8cp5YCACLcB/s1600/ozoza2.png", - "value": "OzozaLocker Ransomware" - }, - { - "meta": { - "synonyms": [ - "m0on Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/crypute-ransomware-m0on.html", - "https://www.bleepingcomputer.com/virus-removal/threat/ransomware/" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-8-8X7Nd1MYs/WDSZN6NIT1I/AAAAAAAACNg/ltc7ppfZZL0vWn8BV3Mk9BVrdmJbcEnpgCLcB/s1600/222.jpg" - ], - "encryption": "AES", - "extensions": [ - ".mo0n" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Crypute Ransomware" - }, - { - "meta": { - "synonyms": [ - "Fake Maktub Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/nmoreira-ransomware.html", - "https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-_i9AjhlvjB8/WDVuLKBnmlI/AAAAAAAACOA/xISXMTBLMbEH4PBS35DQ416woPpkuiVvQCLcB/s1600/note-2.PNG", - "https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG" - ], - "encryption": "AES-256 + RSA", - "extensions": [ - ".maktub" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "NMoreira Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/vindowslocker-ransomware.html", - "https://malwarebytes.app.box.com/s/gdu18hr17mwqszj3hjw5m3sw84k8hlph", - "https://rol.im/VindowsUnlocker.zip", - "https://twitter.com/JakubKroustek/status/800729944112427008", - "https://www.bleepingcomputer.com/news/security/vindowslocker-ransomware-mimics-tech-support-scam-not-the-other-way-around/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-61DcGSFljUk/WDM2UpFZ02I/AAAAAAAACMw/smvauQCvG3IPHOtEjPP4ocGKmBhVRBv-wCLcB/s1600/lock-note.png" - ], - "encryption": "AES", - "extensions": [ - ".vindows" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom amount is 349.99$ and the hacker seems to be from India. He disguises himself as Microsoft Support.", - "value": "VindowsLocker Ransomware" - }, - { - "meta": { - "refs": [ - "http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html", - "https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-RwJ6R-uvYg0/V-qfeRPz7GI/AAAAAAAABi8/7x4MxRP7Jp8edbTJqz4iuEye0q1u5k3pQCLcB/s1600/donald-trump-ransomware.jpg", - "https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/" - ], - "encryption": "AES", - "extensions": [ - ".ENCRYPTED" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Here is the original ransomware under this name: http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html", - "value": "Donald Trump 2 Ransomware" - }, - { - "meta": { - "synonyms": [ - "Voldemort Ransomware" - ], - "refs": [ - "http://id-ransomware.blogspot.co.il/2016/09/nagini-voldemort-ransomware.html", - "https://www.bleepingcomputer.com/news/security/the-nagini-ransomware-sics-voldemort-on-your-files/" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-qJHhbtoL1Y4/V-lOClxieEI/AAAAAAAABis/IbnVAY8hnmEfU8_iU1CgQ3FWeX4YZOkBACLcB/s1600/Nagini.jpg" - ], - "encryption": "RSA", - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Looks for C:\\Temp\\voldemort.horcrux", - "value": "Nagini Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/shelllocker-ransomware.html", - "https://twitter.com/JakubKroustek/status/799388289337671680" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-0N1ZUh4WcxQ/WDCfENY1eyI/AAAAAAAACKE/_RVIxRCwedMrD0Tj9o6-ew8u3pL0Y5w8QCLcB/s1600/lock-note2.jpg" - ], - "encryption": "AES", - "extensions": [ - ".l0cked", - ".L0cker" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "ShellLocker Ransomware" - }, - { - "meta": { - "synonyms": [ - "ChipLocker Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html", - "http://malware-traffic-analysis.net/2016/11/17/index.html", - "https://www.bleepingcomputer.com/news/security/rig-e-exploit-kit-now-distributing-new-chip-ransomware/" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-OvB9TMJoimE/WC9QXRPFNwI/AAAAAAAACJU/iYcCC9tKvGIu4jH2bd6xLvmO7KMVVCLdgCLcB/s1600/note_2.PNG", - "CHIP_FILES.txt" - ], - "encryption": "AES + RSA-512", - "extensions": [ - ".CHIP", - ".DALE" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Chip Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html", - "https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/" - ], - "ransomnotes": [ - "README.txt", - "README.jpg", - "Info.hta" - ], - "encryption": "AES + RSA-512", - "extensions": [ - ".dharma", - ".wallet", - ".zzzzz" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant", - "value": "Dharma Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/angela-merkel-ransomware.html", - "https://twitter.com/malwrhunterteam/status/798268218364358656" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-QaJ-Z27tL7s/WDCvwYY2UVI/AAAAAAAACKg/swpf1eKf1Y8oYIK5U8gbfi1H9AQ3Q3r8QCLcB/s1600/angela-merkel.jpg" - ], - "encryption": "AES", - "extensions": [ - ".angelamerkel" - ], - "date": "November 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Angela Merkel Ransomware" - }, - { - "meta": { - "synonyms": [ - "YafunnLocker" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html", - "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/", - "https://twitter.com/malwareforme/status/798258032115322880" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-skwh_-RY50s/WDK2XLhtt3I/AAAAAAAACL0/CaZ0A_fl2Zk-YZYU9g4QCQZkODpicbXpQCLcB/s1600/note_2.PNG", - "https://4.bp.blogspot.com/-tCYSY5fpE5Q/WDLLZssImkI/AAAAAAAACMg/7TmWPW3k4jQuGIYZN_dCxcSGcY_c4po9wCLcB/s1600/note3_2.PNG", - "%AppData%\\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt." - ], - "encryption": "AES-256 + RSA-2048", - "extensions": [ - "._luck" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoLuck Ransomware" - }, - { - "meta": { - "synonyms": [ - "Nemesis", - "X3M" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/crypton-ransomware.html", - "https://decrypter.emsisoft.com/crypton", - "https://www.bleepingcomputer.com/news/security/crypton-ransomware-is-here-and-its-not-so-bad-/", - "https://twitter.com/JakubKroustek/status/829353444632825856" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-2fAMkigwn4E/WCs1vKiB9UI/AAAAAAAACIs/_kgk8U9wfisV0MTYInIbArwL8zgLyBDIgCLcB/s1600/note-eng.png" - ], - "encryption": "AES-256 + RSA + SHA-256", - "extensions": [ - "_crypt", - ".id-_locked", - ".id-_locked_by_krec", - ".id-_locked_by_perfect", - ".id-_x3m", - ".id-_r9oj", - ".id-_garryweber@protonmail.ch", - ".id-_steaveiwalker@india.com_", - ".id-_julia.crown@india.com_", - ".id-_tom.cruz@india.com_", - ".id-_CarlosBoltehero@india.com_", - ".id-_maria.lopez1@india.com_" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Crypton Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/karma-ransomware.html", - "https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomware-being-distributed-via-pay-per-install-network/", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-18th-2016-crysis-cryptoluck-chip-and-more/" - ], - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/ransomware/k/karma-ransomware/ransom-note.png", - "# DECRYPT MY FILES #.html", - "# DECRYPT MY FILES #.txt" - ], - "encryption": "AES", - "extensions": [ - ".karma" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. pretends to be a Windows optimization program called Windows-TuneUp", - "value": "Karma Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/wickedlocker-ht-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-CTLT300bjNk/WCg9mrJArSI/AAAAAAAACGk/weWSqTMVS9AXdxJh_SA06SOH4kh2VGW1gCLcB/s1600/note_2.PNG.png" - ], - "encryption": "AES", - "extensions": [ - ".locked" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "WickedLocker HT Ransomware" - }, - { - "meta": { - "synonyms": [ - "PClock SuppTeam Ransomware", - "WinPlock", - "CryptoLocker clone" - ], - "refs": [ - "https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/", - "https://id-ransomware.blogspot.co.il/2016/11/suppteam-ransomware-sysras.html", - "http://researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/", - "https://decrypter.emsisoft.com/" - ], - "ransomnotes": [ - "Your files are locked !.txt", - "Your files are locked !!.txt", - "Your files are locked !!!.txt", - "Your files are locked !!!!.txt", - "%AppData%\\WinCL\\winclwp.jpg" - ], - "encryption": "AES or XOR", - "extensions": [ - ".locked" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoLocker Copycat", - "value": "PClock3 Ransomware" - }, - { - "meta": { - "synonyms": [ - "Kolobocheg Ransomware" - ], - "refs": [ - "https://www.ransomware.wiki/tag/kolobo/", - "https://id-ransomware.blogspot.co.il/2016/11/kolobo-ransomware.html", - "https://forum.drweb.com/index.php?showtopic=315142" - ], - "ransomnotes": [ - "https://www.ransomware.wiki/tag/kolobo/" - ], - "encryption": "XOR and RSA", - "extensions": [ - ".kolobocheg@aol.com_" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Kolobo Ransomware" - }, - { - "meta": { - "synonyms": [ - "Paysafecard Generator 2016" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/paysafegen-german-ransomware.html", - "https://twitter.com/JakubKroustek/status/796083768155078656" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-r2kaNLjBcEk/WCNCqrpHPZI/AAAAAAAACEE/eFSWuu4mUZoDV5AnduGR4KxHlFM--uIzACLcB/s1600/lock-screen.png" - ], - "encryption": "AES-256", - "extensions": [ - ".cry_" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect German speaking users, since the note is written in German. Mostly affects users in German speaking countries. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PaySafeGen (German) Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/telecrypt-ransomware.html", - "http://www.securityweek.com/telecrypt-ransomwares-encryption-cracked", - "https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-UFksnOoE4Ss/WCRUNbQuqyI/AAAAAAAACFI/Gs3Gkby335UmiddlYWJDkw8O-BBLt-BlQCLcB/s1600/telegram_rans.gif" - ], - "encryption": "AES", - "extensions": [ - ".Xcri" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills. Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.", - "value": "Telecrypt Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/cerbertear-ransomware.html", - "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/", - "https://twitter.com/struppigel/status/795630452128227333" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-ftA6aPEXwPM/WCDY3IiSq6I/AAAAAAAACCU/lnH25navXDkNccw5eQL9fkztRAeIqDYdQCLcB/s1600/note111.png" - ], - "encryption": "AES", - "extensions": [ - ".cerber" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CerberTear Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/fucksociety-ransomware.html" - ], - "encryption": "RSA-4096", - "extensions": [ - ".dll" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Hidden Tear >> APT Ransomware + HYPERLINK \"https://id-ransomware.blogspot.ru/2016/05/remindme-ransomware-2.html\" \t \"_blank\" RemindMe > FuckSociety", - "value": "FuckSociety Ransomware" - }, - { - "meta": { - "synonyms": [ - "Serpent Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/paydos-ransomware-serpent.html", - "https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/", - "https://www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers" - ], - "ransomnotes": [ - "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html", - "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt" - ], - "encryption": "AES-256", - "extensions": [ - ".dng", - ".serpent" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Batch file; Passcode: AES1014DW256 or RSA1014DJW2048", - "value": "PayDOS Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/zscreenlocker-ransomware.html", - "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/", - "https://twitter.com/struppigel/status/794077145349967872" - ], - "encryption": "AES", - "extensions": [ - ".dng" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "zScreenLocker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/gremit-ransomware.html", - "https://twitter.com/struppigel/status/794444032286060544", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/" - ], - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/11-4-16/CwZubUHW8AAE4qi[1].jpg" - ], - "encryption": "AES", - "extensions": [ - ".rnsmwr" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Gremit Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/hollycrypt-ransomware.html" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-PdtXGwSTn24/WBxIoomzF4I/AAAAAAAAB-U/lxTwKWc7T9MJhUtcRMh1mn9m_Ftjox9XwCLcB/s1600/note_2.PNG" - ], - "encryption": "AES", - "extensions": [ - ".hollycrypt" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Hollycrypt Ransomware" - }, - { - "meta": { - "synonyms": [ - "BTC Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/btclocker-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/--7M0dtKhOio/WBxJx1PflYI/AAAAAAAAB-g/DSdMjLDLnVwwaMBW4H_98SzSJupLYm9WgCLcB/s1600/note_2.PNG" - ], - "encryption": "AES", - "extensions": [ - ".BTC" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "BTCLocker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/kangaroo-ransomware.html", - "https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-1jyI1HoqJag/WBzj9SLvipI/AAAAAAAAB_U/_sp8TglWEPQphG8neqrztfUUIjcBbVhDwCLcB/s1600/kangaroo-lock_2.png", - "filename.Instructions_Data_Recovery.txt" - ], - "encryption": "AES", - "extensions": [ - ".crypted_file" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. From the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda", - "value": "Kangaroo Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/dummyencrypter-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-2rS0Yq27wp0/WBtKfupZ2sI/AAAAAAAAB8I/0MR-9Xx0n-0zV_NBSScDCiYTp1KH-edtACLcB/s1600/Lockscreen_2.png" - ], - "encryption": "AES-256", - "extensions": [ - ".dCrypt" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "DummyEncrypter Ransomware" - }, - { - "meta": { - "synonyms": [ - "SFX Monster Ransomware" - ], - "refs": [ - "http://virusinfo.info/showthread.php?t=201710", - "https://id-ransomware.blogspot.co.il/2016/11/encryptss77-ransomware.html" - ], - "ransomnotes": [ - "YOUR FILES ARE ENCRYPTED THAT THEIR DECRYPT SEND EMAIL US AT encryptss77@gmail.com IN MESSAGE INDICATE IP ADDRESS OF COMPUTER WHERE YOU SAW THIS MESSAGE YOU CAN FIND IT ON 2IP.RU WE WILL REPLY TO YOU WITHIN 24 HOURS" - ], - "encryption": "AES-256", - "extensions": [ - ".dCrypt" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Encryptss77 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/winrarer-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-zb0TP0wza7I/WBpShN0tCMI/AAAAAAAAB64/oTkSFwKFVx8hY1rEs5FQU6F7oaBW-LqHwCLcB/s1600/note_2.png" - ], - "encryption": "AES-256", - "extensions": [ - ".ace" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "WinRarer Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/russian-globe-ransomware.html" - ], - "ransomnotes": [ - "YOUR FILES HAVE BEEN ENCRYPTED! Your personal ID ***** Your file have been encrypted with a powerful strain of a virus called ransomware. Your files are encrypted using the same methods banks and the military use. There is currently no possible way to decrypt files with the private key. Lucky for you, we can help. We are willing to sell you a decryptor UNIQUELY made for your computer (meaning someone else's decryptor will not work for you). Once you pay a small fee, we will instantly send you the software/info necessary to decrypt all your files, quickly and easily." - ], - "encryption": "AES-256", - "extensions": [ - ".blackblock" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Russian Globe Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/11/zerocrypt-ransomware.html" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-0AGEY4vAlA0/WBi_oChzFNI/AAAAAAAAB4w/8PrPRfFU30YFWCwHzqnsx4bYISVNFyesQCLcB/s1600/note.PNG" - ], - "encryption": "AES-256", - "extensions": [ - ".zn2016" - ], - "date": "November 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "ZeroCrypt Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/rotorcrypt-ransomware.html" - ], - "ransomnotes": [ - "Good day Your files were encrypted/locked As evidence can decrypt file 1 to 3 1-30MB The price of the transcripts of all the files on the server: 7 Bitcoin Recommend to solve the problem quickly and not to delay Also give advice on how to protect Your server against threats from the network (Files sql mdf backup decryption strictly after payment)!" - ], - "encryption": "RSA", - "extensions": [ - ".c400", - ".c300" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "RotorCrypt(RotoCrypt, Tar) Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/ishtar-ransomware.html" - ], - "ransomnotes": [ - "FOR FILE DISCRIPTION, PLEASE CONTACT YOU@edtonmail@protonmail.com Or BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/ BASIC TECHNICAL DETAILS: > Standard encryption order: AES 256 + RSA 2048. > A unique AES key is created for each file. > Decryption is impossible without the ISHTAR.DATA file (see% APPDATA% directory). ----- TO DECRYPT YOUR FILES PLEASE WRITE TO youneedmail@protonmail.com OR TO BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/ BASIC TECHNICAL DETAILS: > Standart encryption routine: AES 256 + RSA 2048. > Every AES key is unique per file. > Decryption is impossible without ISHTAR.DATA file (see% APPDATA% path)." - ], - "encryption": "AES-256 + RSA-2048", - "extensions": [ - "ISHTAR-. (prefix)" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.", - "value": "Ishtar Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html", - "https://twitter.com/struppigel/status/791943837874651136" - ], - "ransomnotes": [ - "IMPORTANT!!!! All of your computer files have been encrypted. DO NOT CHANGE ANY FILES! We can restore all the files. How to restore files: - \n1) Follow this link: - http://goo.gl/forms/VftoBRppkJ \n2) Fill out the form above. \n3) For 24 hours on your email + mobile SMS will come instructions for solving the problem. Thank you! DarkWing020", - "https://3.bp.blogspot.com/-gqEyoqXbZnE/WBXoF5bPZZI/AAAAAAAAB2U/YGpgIdjXyQQeDnwc9PlJs37YWtWTnH_wgCLcB/s1600/note.jpg", - "CreatesReadThisFileImportant.txt" - ], - "extensions": [ - ".hcked" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "MasterBuster Ransomware" - }, - { - "meta": { - "synonyms": [ - "Jack.Pot Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/jackpot-ransomware.html", - "https://twitter.com/struppigel/status/791639214152617985", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-oaElZvUqbfo/WBUOGdD8unI/AAAAAAAAB1w/Ya1_qq0gfa09AhRddUITQNRxKloXgD_BwCLcB/s1600/wallp.jpg" - ], - "extensions": [ - ".coin" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "JackPot Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/onyx-ransomware.html", - "https://twitter.com/struppigel/status/791557636164558848", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/" - ], - "ransomnotes": [ - "All your files are encrypted, but do not worry, they have not been removed. (for now) You have 24 hours to pay $100. Money move to the specified Bitcoin -account. Otherwise, all files will be destroyed. Do not turn off the computer and/or do not attempt to disable me. When disobedience will be deleted 100 files.", - "https://1.bp.blogspot.com/-cukkC4KAhZE/WBY1jJbcQoI/AAAAAAAAB3I/p8p-iNQRnQwnP6c6H77h_SHMQNAlkJ1CgCLcB/s1600/onyx.jpg" - ], - "extensions": [ - ".Encryption:" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Georgian ransomware", - "value": "ONYX Ransomeware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/ifn643-ransomware.html", - "https://twitter.com/struppigel/status/791576159960072192", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-JuBZKpEHV0Q/WBYNHFlW7pI/AAAAAAAAB20/z0DPYA_8l6U8tB6pbgo8ZwyIJRcrIVy2ACLcB/s1600/Note1.JPG" - ], - "encryption": "AES", - "extensions": [ - ".inf643" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "IFN643 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/alcatraz-locker-ransomware.html", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/", - "https://twitter.com/PolarToffee/status/792796055020642304" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-b0-Uvnz703Q/WBcMGkZqtwI/AAAAAAAAB3Y/a6clIjdp_tI2T-OE_ykyjvB2qNY3gqWdQCLcB/s1600/Screenshot_1.jpg", - "https://2.bp.blogspot.com/-y5a6QnjAiv0/WBcMKV0zDDI/AAAAAAAAB3c/ytOQHJgmy30H_jEWPcfht7RRsh4NhcrvACLcB/s1600/Screenshot_2.jpg", - "ransomed.hTmL" - ], - "encryption": "AES", - "extensions": [ - ".Alcatraz" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Alcatraz Locker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/esmeralda-ransomware.html", - "https://www.bleepingcomputer.com/forums/t/630835/esmeralda-ransomware/" - ], - "ransomnotes": [ - "Windows has encountered a critical problem and needs your immediate action to recover your data. The system access is locked and all the data have been encrypted to avoid the information be published or misused. You will not be able to access to your files and ignoring this message may cause the total loss of the data. We are sorry for the inconvenience. You need to contact the email below to restore the data of your system. Email: esmeraldaencryption@mail.ru You will have to order the Unlock-Password and the Esmeralda Decryption Software. All the instructions will be sent to you by email.", - "https://2.bp.blogspot.com/-vaWu8OjSiXE/WBzkLBdB8DI/AAAAAAAAB_Y/k8vvtYEIdTkFJhruRJ6qDNAujAn4Ph-xACLcB/s1600/esmeralda-lock_2.png" - ], - "encryption": "AES", - "extensions": [ - ".encrypted" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Esmeralda Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/encryptile-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-_jxt6kCRnwM/WBNf7mi92nI/AAAAAAAAB0g/homx8Ly379oUKAOIhZU6MxCiWX1gA_TkACLcB/s1600/wallp.jpg" - ], - "encryption": "AES", - "extensions": [ - ".encrypted" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "EncrypTile Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/fileice-ransomware-survey.html", - "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-GAPCc3ITdQY/WBMTmJ4NaRI/AAAAAAAABzM/XPbPZvZ8vbUrOWxtwPmfHFJiNT_2gfaOgCLcB/s1600/fileice-source.png" - ], - "encryption": "AES", - "extensions": [ - ".encrypted" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of how the hacker tricks the user using the survey method. https://1.bp.blogspot.com/-72ECd1vsUdE/WBMSzPQEgzI/AAAAAAAABzA/i8V-Kg8Gstcn_7-YZK__PDC2VgafWcfDgCLcB/s1600/survey-screen.png The hacker definatly has a sense of humor: https://1.bp.blogspot.com/-2AlvtcvdyUY/WBMVptG_V5I/AAAAAAAABzc/1KvAMeDmY2w9BN9vkqZO8LWkBu7T9mvDACLcB/s1600/ThxForYurTyme.JPG", - "value": "Fileice Ransomware Survey Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/cryptowire-ransomware.html", - "https://twitter.com/struppigel/status/791554654664552448", - "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-vIMgkn8WVJM/WBJAxkbya7I/AAAAAAAABys/tCpaTOxfGDw8A611gudDh46mhZT70dURwCLcB/s1600/lock-screen.jpg", - "https://1.bp.blogspot.com/-b0QiEQec0Pg/WBMf2HG6hjI/AAAAAAAABz8/BtN2-INZ2KQ4W2_iPqvDZTtlA0Aq_4gVACLcB/s1600/Screenshot_2.jpg" - ], - "encryption": "AES-256", - "extensions": [ - ".encrypted" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoWire Ransomeware" - }, - { - "meta": { - "synonyms": [ - "Hungarian Locky Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html", - "https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe", - "https://twitter.com/struppigel/status/846241982347427840" - ], - "ransomnotes": [ - "https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png", - "!!! IMPORTANT INFORMATION !!!! All files are encrypted using RSA-3072 and AES128 encryption. You can learn more about RSA and AES ciphers here: Https://hu.wikipedia.org/wiki/RSA-eljárás Https://hu.wikipedia.org/wiki/Advanced_Encryption_Standard To return files, you need to get a secret key and decryption program. To get the key, please follow these steps: \n1. Send an identification code to the email address locky@mail2tor.com! If you want, send a 1 MB file for decryption. In order to prove that we can recover data. (Please, email must contain only the identification code, as well as the attachment) \n3. Please note, check the mail, we will send you an email within 24 hours! You will receive a decrypted file and decryption program in the attachment. Follow the instructions in the email.!!! Your identification code !!!", - "_Adatok_visszaallitasahoz_utasitasok.txt", - "_locky_recover_instructions.txt" - ], - "encryption": "AES-128+RSA", - "extensions": [ - ".locky", - "[a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on Locky", - "value": "Hucky Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/winnix-cryptor-ransomware.html", - "https://twitter.com/PolarToffee/status/811940037638111232" - ], - "ransomnotes": [ - "Your files are encrypted! Your files have been safely encrypted on this PC: photos, documents, databases, etc. Encryption was produced using a unique public key generated for this computer. To decrypt files you need to obtain the private key. The only way to get the private key is to pay 4 BTC. You saved it on qualified system administrator who could make your network safe and secure. In order to decrypt the files send your bitcoins to the following address: 13gYXFxpzm7hAd4esdnJGt9JvYqyD1Y6by After you complete your payment, send an email to 6214ssxpvo@sigaint.org with YOUR ID as subject (ID is in the end of the file) and you'll receive private key, needed software and step by step guide in 1 business day. Offer is valid for 5 business days (expiration date is in the end of the file). AFTER TIME IS UP, PRICE DOUBLES. No discounts, no other payment methods. How to buy bitcoins? \n1. Create a Bitcoin Wallet (we recommend Blockchain.info) \n2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (= 0.0005). Here are our recommendations: LocalBitcoins.com – the fastest and easiest way to buy and sell Bitcoins; CoinCafe.com – the simplest and fastest way to buy, sell and use Bitcoins; BTCDirect.eu – the best for Europe; CEX.IO – Visa / MasterCard; CoinMama.com – Visa / MasterCard; HowToBuyBitcoins.info – discover quickly how to buy and sell bitcoins in your local currency. More questions? Send an email to 6214ssxpvo@sigaint.org ID: *** EXP DATE: Sept. 12 2016 Winnix Cryptor Team", - "YOUR FILES ARE ENCRYPTED!.txt" - ], - "encryption": "AES", - "extensions": [ - ".wnx" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Winnix Cryptor Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html", - "https://twitter.com/demonslay335/status/790334746488365057" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-k3s85Fx9N_E/WBIfuUNTMmI/AAAAAAAAByM/rQ10tKuXTlEJfLTOoBwJPo7rhhaiK2OoQCLcB/s1600/screen-lock.jpg", - "ANGRY DUCK! All your important files have been encrypted using very string cryptography (AES-512 With RSA-64 FIPS grade encryption). To recover your files, send 10 BTC to my private wallet DON'T MESS WITH THE DUCKS!!!" - ], - "encryption": "AES-512", - "extensions": [ - ".adk" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Demands 10 BTC", - "value": "AngryDuck Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/lock93-ransomware.html", - "https://twitter.com/malwrhunterteam/status/789882488365678592" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-WuD2qaaNIb0/WA4_g_FnIfI/AAAAAAAABx4/pn6VNqMXMzI_ryvKUruY3ctYtzomT1I4gCLcB/s1600/note3.jpg", - "https://1.bp.blogspot.com/-S6M83oFxSdM/WA4_ak9WATI/AAAAAAAABx0/3FL3q21FdxMQvAgrr2FORQIaNtq2-P2jACLcB/s1600/note2.jpg" - ], - "encryption": "AES-512", - "extensions": [ - ".lock93" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Lock93 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html", - "https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-5gZpxeEWqZg/WBeNnEP9GzI/AAAAAAAAB4g/ELCCp88whLMI6CzpGTjlxbmXBMFIKhwtwCLcB/s1600/onion-site.JPG", - "!!!!!readme!!!!!.htm" - ], - "encryption": "AES-512", - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "ASN1 Encoder Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/click-me-ransomware.html", - "https://www.youtube.com/watch?v=Xe30kV4ip8w" - ], - "ransomnotes": [ - "All right my dear brother!!! Enough free playing. Your files have been encrypted. Pay so much this much money so I can send you the password for your files. I can be paid this much too cause I am very kind. So move on I didn't raise the price." - ], - "encryption": "AES", - "extensions": [ - ".hacked" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker tries to get the user to play a game and when the user clicks the button, there is no game, just 20 pictures in a .gif below: https://3.bp.blogspot.com/-1zgO3-bBazs/WAkPYqXuayI/AAAAAAAABxI/DO3vycRW-TozneSfRTdeKyXGNEtJSMehgCLcB/s1600/all-images.gif", - "value": "Click Me Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG" - ], - "encryption": "AES-256 + RSA-2048", - "extensions": [ - ".hacked" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "AiraCrop Ransomware" - }, - { - "meta": { - "synonyms": [ - "SHC Ransomware", - "SHCLocker", - "SyNcryption" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/japanlocker-ransomware.html", - "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/japanlocker", - "https://github.com/fortiguard-lion/schRansomwareDecryptor/blob/master/schRansomwarev1_decryptor.php", - "https://blog.fortinet.com/2016/10/19/japanlocker-an-excavation-to-its-indonesian-roots" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-sdlDK4OIuPA/WAehWZYHaMI/AAAAAAAABvc/TcAcLG2lw10aOFY3FbP1A5EuLjL6LR62ACLcB/s1600/note.jpg" - ], - "encryption": "AES-256 + RSA-2048", - "extensions": [ - "#LOCK#" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Base64 encoding, ROT13, and top-bottom swapping", - "value": "JapanLocker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html", - "http://nyxbone.com/malware/Anubis.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-0YMsPH5WuTk/WAepI4BnqZI/AAAAAAAABv0/yXt4tdrmmAIf-N9KUmehY6mK1kTV-eFFQCLcB/s1600/note-wal2.jpg", - "Decryption Instructions.txt" - ], - "encryption": "AES(256)", - "extensions": [ - ".coded" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. EDA2", - "value": "Anubis Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/xtplocker-ransomware.html" - ], - "ransomnotes": [ - "Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency to receive a decryption key. To purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress : 16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB After payment contact us to receive your decryption key. In mail title write your unique ID: {custom id visually resembling a MAC address} Our e-mail: crypt302@gmx.com" - ], - "encryption": "AES-256", - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "XTPLocker 5.0 Ransomware" - }, - { - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/eviltwins-exotic-ransomware-targets-executable-files/", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/", - "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/exotic-ransomware", - "https://id-ransomware.blogspot.co.il/2016/10/exotic-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-WJYR7LkWHWY/WAaCYScljOI/AAAAAAAABuo/j18AGhzv7WUPb2r4HWkYm4TPgYw9S5PUwCLcB/s1600/note1-1.jpg", - "https://4.bp.blogspot.com/-2QxJ3KCRimI/WAaCcWcE2uI/AAAAAAAABus/9SGRY5iQT-ITfG_JrY7mn6-PUpQrSKg7gCLcB/s1600/note1-2.jpg", - "https://3.bp.blogspot.com/-SMXOoWiGkxw/WAaGOMdecrI/AAAAAAAABu8/S-YjlWlPKbItSN_fe8030tMDHWzouHsIgCLcB/s1600/note2.jpg" - ], - "encryption": "AES-128", - "extensions": [ - ".exotic", - "random.exotic" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Also encrypts executables", - "value": "Exotic Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/apt-ransomware-2.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-VTUhk_Py2FA/WAVCO1Yn69I/AAAAAAAABuI/N71wo2ViOE0UjrIdbeulBRTJukHtA2TdACLcB/s1600/ransom-note.jpg" - ], - "encryption": "AES-128", - "extensions": [ - ".dll" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. NO POINT TO PAY THE RANSOM, THE FILES ARE COMPLETELY DESTROYED", - "value": "APT Ransomware v.2" - }, - { - "meta": { - "synonyms": [ - "WS Go Ransonware", - "Trojan.Encoder.6491" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/ws-go-ransonware.html", - "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/apt-ransomware-v2" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-NfRePJbfjbY/WAe5LHFsWaI/AAAAAAAABwE/1Pk116TDqAYEDYvnu2vzim1l-H5seW9mQCLcB/s1600/note.png" - ], - "encryption": "AES-256", - "extensions": [ - ".enc" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Windows_Security Ransonware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/ncrypt-ransomware.html" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-k7T79DnBk8w/WBc67QXyjWI/AAAAAAAAB3w/QbA-E9lYdSMOg3PcG9Vz8fTc_OhmACObACLcB/s1600/note-html.jpg" - ], - "encryption": "AES", - "extensions": [ - ".NCRYPT", - ".ncrypt" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "NCrypt Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/venis-ransomware.html", - "https://twitter.com/Antelox/status/785849412635521024", - "http://pastebin.com/HuK99Xmj" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-IFEOWjw-aaQ/WAXTu9oEN4I/AAAAAAAABuY/APqBiaHn3pAX8404Noyuj7tnFJDf2m_XACLcB/s1600/note1.jpg" - ], - "encryption": "AES-2048", - "extensions": [ - ".venis" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. In devVenisRansom@protonmail.com", - "value": "Venis Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/enigma-2-ransomware.html" - ], - "ransomnotes": [ - "We encrypt important files on your computer: documents, databases, photos, videos and keys. Files encryption algorithm AES 128 (https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key that only we know. Encrypted files have .1txt extension. It decrypts files without the private key IMPOSSIBLE. \nIf you want to get the files back: \n1) Install the Tor Browser http://www.torproject.org/ \n2) Locate the desktop key to access E_N_I_G_M_A.RSA site (password is encrypted in the key of your files) \n3) Go to the website http://kf2uimw5omtgveu6.onion/ into a torus-browser and log in using E_N_I_G_M_A.RSA \n4) Follow the instructions on the website and download the decoder \nC:\\Documents and Settings\\Администратор\\Рабочийстол\\E_N_I_G_M_A.RSA - The path to the key file on the desktop C:\\DOCUME~1\\9335~1\\LOCALS~1\\Temp\\E_N_I_G_M_A.RSA - The path to the key file in TMP directory" - ], - "encryption": "AES-128", - "extensions": [ - ".1txt" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Enigma 2 Ransomware" - }, - { - "meta": { - "synonyms": [ - "Deadly for a Good Purpose Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/deadly-ransomware.html", - "https://twitter.com/malwrhunterteam/status/785533373007728640" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-XZiiaCYM9Bk/WAUsUkrCJEI/AAAAAAAABtk/z-sMHflz3Q8_aWc-K9PD0N5TGkSGwwQnACLcB/s1600/note-html.jpg" - ], - "encryption": "AES-256", - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. sample is set to encrypt only in 2017...", - "value": "Deadly Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/comrade-circle-ransomware.html" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-MmzOC__9qPA/V__t2kNX-SI/AAAAAAAABrc/t8ypPa1jCIUbPfvR7UGbdGzdvKrbAv_DgCLcB/s1600/wallpaper.jpg", - "https://4.bp.blogspot.com/-hRoC-UFr-7o/V__tAEFuZWI/AAAAAAAABrQ/xDawlulx8Bg4uEtX4bU2ezPMY-x6iFiuQCLcB/s1600/note-1ch.JPG", - "https://4.bp.blogspot.com/-PdYtm6sRHAI/WAEngHQBg_I/AAAAAAAABsA/nh8m7__b0wgviTEBahyNYK4HFhF1v7rOQCLcB/s1600/icon-stalin-2.jpg" - ], - "encryption": "AES-256", - "extensions": [ - ".comrade" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Comrade Circle Ransomware" - }, - { - "meta": { - "synonyms": [ - "Purge Ransomware" - ], - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/globe2-ransomware.html", - "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221" - ], - "ransomnotes": [ - "https://3.bp.blogspot.com/-MYI30xhrcZU/V_qcDyASJsI/AAAAAAAABpU/Pej5jDk_baYBByLx1cXwFL8LBiT8Vj3xgCLcB/s1600/note22.jpg" - ], - "encryption": "AES-256 or Blowfish", - "extensions": [ - ".raid10", - ".[random].raid10", - ".blt", - ".globe", - ".[random].blt", - ".encrypted", - ".[random].globe", - ".[random].encrypted", - ".mia.kokers@aol.com", - ".[mia.kokers@aol.com]", - ".lovewindows", - ".openforyou@india.com", - ".." - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Globe2 Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/kostya-ransomware.html", - "http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/" - ], - "ransomnotes": [ - "https://2.bp.blogspot.com/-E_MI2fT33J0/V_k_9Gjkj4I/AAAAAAAABpA/-30UT5HhPAAR9YtVkFwgrYqLIdWPprZ9gCLcB/s1600/lock-screen.jpg", - "https://2.bp.blogspot.com/-4YmIkWfYfRA/V_lAALhfSvI/AAAAAAAABpE/Dj35aroKXSwbLXrSPqGCzbvhsTNHdsbAgCLcB/s1600/kostya.jpg" - ], - "encryption": "AES-256", - "extensions": [ - ".k0stya" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Kostya Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/10/fs0ciety-locker-ransomware.htm" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-nskzYgbg7Ac/V_jpJ3GApqI/AAAAAAAABos/EbG_-BLDPqA9bRVOWdzHjPnDWFiHYlsJwCLcB/s1600/ransom-note.png" - ], - "encryption": "AES-256 CBC", - "extensions": [ - ".comrade" - ], - "date": "October 2016" - }, - "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Fs0ciety Locker Ransomware" - }, - { - "meta": { - "refs": [ - "https://id-ransomware.blogspot.co.il/2016/09/erebus-ransomware.html" - ], - "ransomnotes": [ - "https://4.bp.blogspot.com/-E9WbSxLgaYs/WGn8gC6EfvI/AAAAAAAAC8A/bzd7uP9fcxU6Fyq1n6-9ZbUUGWlls9lrwCLcB/s1600/note-txt_2.png" - ], - "encryption": "AES", - "extensions": [ - ".ecrypt" - ], - "date": "September 2016" - }, - "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. After the files are decrypted, the shadow files are deleted using the following command: vssadmin.exe Delete Shadows /All /Quiet", - "value": "Erebus Ransomware" - }, - { - "meta": { - "synonyms": [ - "WannaCrypt", - "WannaCry", - "WanaCrypt0r", - "WCrypt", - "WCRY" - ], - "refs": [ - "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168" - ], - "date": "May 2017" - }, - "description": "According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.", - "value": "WannaCry" - }, - { - "value": ".CryptoHasYou.", - "description": "Ransomware", - "meta": { - "extensions": [ - ".enc" - ], - "encryption": "AES(256)", - "ransomnotes": [ - "YOUR_FILES_ARE_LOCKED.txt" - ], - "refs": [ - "http://www.nyxbone.com/malware/CryptoHasYou.html" - ] - } - }, - { - "value": "777", - "description": "Ransomware", - "meta": { - "synonyms": [ - "Sevleg" - ], - "extensions": [ - ".777", - "._[timestamp]_$[email]$.777", - "e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777" - ], - "encryption": "XOR", - "ransomnotes": [ - "read_this_file.txt" - ], - "refs": [ - "https://decrypter.emsisoft.com/777" - ] - } - }, - { - "value": "7ev3n", - "description": "Ransomware", - "meta": { - "synonyms": [ - "7ev3n-HONE$T" - ], - "extensions": [ - ".R4A", - ".R5A" - ], - "ransomnotes": [ - "FILES_BACK.txt" - ], - "refs": [ - "https://github.com/hasherezade/malware_analysis/tree/master/7ev3n", - "https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be", - "http://www.nyxbone.com/malware/7ev3n-HONE$T.html" - ] - } - }, - { - "value": "8lock8", - "description": "Ransomware Based on HiddenTear", - "meta": { - "extensions": [ - ".8lock8" - ], - "encryption": "AES-256", - "ransomnotes": [ - "READ_IT.txt" - ], - "refs": [ - "http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/" - ] - } - }, - { - "value": "AiraCrop", - "description": "Ransomware related to TeamXRat", - "meta": { - "extensions": [ - "._AiraCropEncrypted" - ], - "ransomnotes": [ - "How to decrypt your files.txt" - ], - "refs": [ - "https://twitter.com/PolarToffee/status/796079699478900736" - ] - } - }, - { - "value": "Al-Namrood", - "description": "Ransomware", - "meta": { - "extensions": [ - ".unavailable", - ".disappeared" - ], - "ransomnotes": [ - "Read_Me.Txt" - ], - "refs": [ - "https://decrypter.emsisoft.com/al-namrood" - ] - } - }, - { - "value": "ALFA Ransomware", - "description": "Ransomware Made by creators of Cerber", - "meta": { - "extensions": [ - ".bin" - ], - "ransomnotes": [ - "README HOW TO DECRYPT YOUR FILES.HTML" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/" - ] - } - }, - { - "value": "Alma Ransomware", - "description": "Ransomware", - "meta": { - "extensions": [ - "random", - "random(x5)" - ], - "encryption": "AES-128", - "ransomnotes": [ - "Unlock_files_randomx5.html" - ], - "refs": [ - "https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&__hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&__hssc=61627571.1.1472593507113&__hsfp=1114323283", - "https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter", - "http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/" - ] - } - }, - { - "value": "Alpha Ransomware", - "description": "Ransomware", - "meta": { - "synonyms": [ - "AlphaLocker" - ], - "extensions": [ - ".encrypt" - ], - "encryption": "AES-256", - "ransomnotes": [ - "Read Me (How Decrypt) !!!!.txt" - ], - "refs": [ - "http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip", - "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/", - "https://twitter.com/malwarebread/status/804714048499621888" - ] - } - }, - { - "value": "AMBA", - "description": "Ransomware Websites only amba@riseup.net", - "meta": { - "extensions": [ - ".amba" - ], - "ransomnotes": [ - "ПРОЧТИ_МЕНЯ.txt", - "READ_ME.txt" - ], - "refs": [ - "https://twitter.com/benkow_/status/747813034006020096" - ] - } - }, - { - "value": "AngleWare", - "description": "Ransomware", - "meta": { - "extensions": [ - ".AngleWare" - ], - "ransomnotes": [ - "READ_ME.txt" - ], - "refs": [ - "https://twitter.com/BleepinComputer/status/844531418474708993" - ] - } - }, - { - "value": "Anony", - "description": "Ransomware Based on HiddenTear", - "meta": { - "synonyms": [ - "ngocanh" - ], - "refs": [ - "https://twitter.com/struppigel/status/842047409446387714" - ] - } - }, - { - "value": "Apocalypse", - "description": "Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru", - "meta": { - "synonyms": [ - "Fabiansomeware" - ], - "extensions": [ - ".encrypted", - ".SecureCrypted", - ".FuckYourData", - ".unavailable", - ".bleepYourFiles", - ".Where_my_files.txt", - "[filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]", - "*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}" - ], - "ransomnotes": [ - "*.How_To_Decrypt.txt", - "*.Contact_Here_To_Recover_Your_Files.txt", - "*.Where_my_files.txt", - "*.Read_Me.Txt", - "*md5*.txt" - ], - "refs": [ - "https://decrypter.emsisoft.com/apocalypse", - "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" - ] - } - }, - { - "value": "ApocalypseVM", - "description": "Ransomware Apocalypse ransomware version which uses VMprotect", - "meta": { - "extensions": [ - ".encrypted", - ".locked" - ], - "ransomnotes": [ - "*.How_To_Get_Back.txt" - ], - "refs": [ - "http://decrypter.emsisoft.com/download/apocalypsevm" - ] - } - }, - { - "value": "AutoLocky", - "description": "Ransomware", - "meta": { - "extensions": [ - ".locky" - ], - "ransomnotes": [ - "info.txt", - "info.html" - ], - "refs": [ - "https://decrypter.emsisoft.com/autolocky" - ] - } - }, - { - "value": "Aw3s0m3Sc0t7", - "description": "Ransomware", - "meta": { - "extensions": [ - ".enc" - ], - "refs": [ - "https://twitter.com/struppigel/status/828902907668000770" - ] - } - }, - { - "value": "BadBlock", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "Help Decrypt.html" - ], - "refs": [ - "https://decrypter.emsisoft.com/badblock", - "http://www.nyxbone.com/malware/BadBlock.html", - "http://www.nyxbone.com/images/articulos/malware/badblock/5.png" - ] - } - }, - { - "value": "BaksoCrypt", - "description": "Ransomware Based on my-Little-Ransomware", - "meta": { - "extensions": [ - ".adr" - ], - "refs": [ - "https://twitter.com/JakubKroustek/status/760482299007922176", - "https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-ransomware/" - ] - } - }, - { - "value": "Bandarchor", - "description": "Ransomware Files might be partially encrypted", - "meta": { - "synonyms": [ - "Rakhni" - ], - "extensions": [ - ".id-1235240425_help@decryptservice.info", - ".id-[ID]_[EMAIL_ADDRESS]" - ], - "encryption": "AES-256", - "ransomnotes": [ - "HOW TO DECRYPT.txt" - ], - "refs": [ - "https://reaqta.com/2016/03/bandarchor-ransomware-still-active/", - "https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/" - ] - } - }, - { - "value": "Bart", - "description": "Ransomware Possible affiliations with RockLoader, Locky and Dridex", - "meta": { - "synonyms": [ - "BaCrypt" - ], - "extensions": [ - ".bart.zip", - ".bart", - ".perl" - ], - "ransomnotes": [ - "recover.txt", - "recover.bmp" - ], - "refs": [ - "http://now.avg.com/barts-shenanigans-are-no-match-for-avg/", - "http://phishme.com/rockloader-downloading-new-ransomware-bart/", - "https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky" - ] - } - }, - { - "value": "BitCryptor", - "description": "Ransomware Has a GUI. CryptoGraphic Locker family. Newer CoinVault variant.", - "meta": { - "extensions": [ - ".clf" - ], - "refs": [ - "https://noransom.kaspersky.com/" - ] - } - }, - { - "value": "BitStak", - "description": "Ransomware", - "meta": { - "extensions": [ - ".bitstak" - ], - "encryption": "Base64 + String Replacement", - "refs": [ - "https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip" - ] - } - }, - { - "value": "BlackShades Crypter", - "description": "Ransomware", - "meta": { - "synonyms": [ - "SilentShade" - ], - "extensions": [ - ".Silent" - ], - "encryption": "AES-256", - "ransomnotes": [ - "Hacked_Read_me_to_decrypt_files.html", - "YourID.txt" - ], - "refs": [ - "http://nyxbone.com/malware/BlackShades.html" - ] - } - }, - { - "value": "Blocatto", - "description": "Ransomware Based on HiddenTear", - "meta": { - "extensions": [ - ".blocatto" - ], - "encryption": "AES-256", - "refs": [ - "http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/" - ] - } - }, - { - "value": "Booyah", - "description": "Ransomware EXE was replaced to neutralize threat", - "meta": { - "synonyms": [ - "Salami" - ] - } - }, - { - "value": "Brazilian", - "description": "Ransomware Based on EDA2", - "meta": { - "extensions": [ - ".lock" - ], - "encryption": "AES-256", - "ransomnotes": [ - "MENSAGEM.txt" - ], - "refs": [ - "http://www.nyxbone.com/malware/brazilianRansom.html", - "http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png" - ] - } - }, - { - "value": "Brazilian Globe", - "description": "Ransomware", - "meta": { - "extensions": [ - ".id-%ID%_garryweber@protonmail.ch" - ], - "ransomnotes": [ - "HOW_OPEN_FILES.html" - ], - "refs": [ - "https://twitter.com/JakubKroustek/status/821831437884211201" - ] - } - }, - { - "value": "BrLock", - "description": "Ransomware", - "meta": { - "encryption": "AES", - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" - ] - } - }, - { - "value": "Browlock", - "description": "Ransomware no local encryption, browser only" - }, - { - "value": "BTCWare Related to / new version of CryptXXX", - "description": "Ransomware", - "meta": { - "extensions": [ - ".btcware" - ], - "ransomnotes": [ - "#_HOW_TO_FIX_!.hta" - ], - "refs": [ - "https://twitter.com/malwrhunterteam/status/845199679340011520" - ] - } - }, - { - "value": "Bucbi", - "description": "Ransomware no file name change, no extension", - "meta": { - "encryption": "GOST", - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/" - ] - } - }, - { - "value": "BuyUnlockCode", - "description": "Ransomware Does not delete Shadow Copies", - "meta": { - "extensions": [ - "(.*).encoded.([A-Z0-9]{9})" - ], - "ransomnotes": [ - "BUYUNLOCKCODE.txt" - ] - } - }, - { - "value": "Central Security Treatment Organization", - "description": "Ransomware", - "meta": { - "extensions": [ - ".cry" - ], - "ransomnotes": [ - "!Recovery_[random_chars].html", - "!Recovery_[random_chars].txt" - ], - "refs": [ - "http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/" - ] - } - }, - { - "value": "Cerber", - "description": "Ransomware", - "meta": { - "extensions": [ - ".cerber", - ".cerber2", - ".cerber3" - ], - "synonyms": [ - "CRBR ENCRYPTOR" - ], - "encryption": "AES", - "ransomnotes": [ - "# DECRYPT MY FILES #.html", - "# DECRYPT MY FILES #.txt", - "# DECRYPT MY FILES #.vbs", - "# README.hta", - "_{RAND}_README.jpg", - "_{RAND}_README.hta", - "_HELP_DECRYPT_[A-Z0-9]{4-8}_.jpg", - "_HELP_DECRYPT_[A-Z0-9]{4-8}_.hta", - "_HELP_HELP_HELP_%random%.jpg", - "_HELP_HELP_HELP_%random%.hta", - "_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.hta", - "_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.jpg" - ], - "refs": [ - "https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", - "https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410", - "https://www.bleepingcomputer.com/news/security/cerber-renames-itself-as-crbr-encryptor-to-be-a-pita/" - ] - } - }, - { - "value": "Chimera", - "description": "Ransomware", - "meta": { - "extensions": [ - ".crypt", - "4 random characters, e.g., .PzZs, .MKJL" - ], - "ransomnotes": [ - "YOUR_FILES_ARE_ENCRYPTED.HTML", - "YOUR_FILES_ARE_ENCRYPTED.TXT", - ".gif" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-petya-devs/", - "https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/" - ] - } - }, - { - "value": "Clock", - "description": "Ransomware Does not encrypt anything", - "meta": { - "refs": [ - "https://twitter.com/JakubKroustek/status/794956809866018816" - ] - } - }, - { - "value": "CoinVault", - "description": "Ransomware CryptoGraphic Locker family. Has a GUI. Do not confuse with CrypVault!", - "meta": { - "extensions": [ - ".clf" - ], - "ransomnotes": [ - "wallpaper.jpg" - ], - "refs": [ - "https://noransom.kaspersky.com/" - ] - } - }, - { - "value": "Coverton", - "description": "Ransomware", - "meta": { - "extensions": [ - ".coverton", - ".enigma", - ".czvxce" - ], - "encryption": "AES-256", - "ransomnotes": [ - "!!!-WARNING-!!!.html", - "!!!-WARNING-!!!.txt" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/" - ] - } - }, - { - "value": "Cryaki", - "description": "Ransomware", - "meta": { - "extensions": [ - ".{CRYPTENDBLACKDC}" - ], - "refs": [ - "https://support.kaspersky.com/viruses/disinfection/8547" - ] - } - }, - { - "value": "Crybola", - "description": "Ransomware", - "meta": { - "refs": [ - "https://support.kaspersky.com/viruses/disinfection/8547" - ] - } - }, - { - "value": "CryFile", - "description": "Ransomware", - "meta": { - "extensions": [ - ".criptiko", - ".criptoko", - ".criptokod", - ".cripttt", - ".aga" - ], - "encryption": "Moves bytes", - "refs": [ - "SHTODELATVAM.txt", - "Instructionaga.txt" - ], - "ransomnotes": [ - "http://virusinfo.info/showthread.php?t=185396" - ] - } - }, - { - "value": "CryLocker", - "description": "Ransomware Identifies victim locations w/Google Maps API", - "meta": { - "synonyms": [ - "Cry", - "CSTO", - "Central Security Treatment Organization" - ], - "extensions": [ - ".cry" - ], - "ransomnotes": [ - "!Recovery_[random_chars].html", - "!Recovery_[random_chars].txt" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/" - ] - } - }, - { - "value": "CrypMIC", - "description": "Ransomware CryptXXX clone/spinoff", - "meta": { - "encryption": "AES-256", - "ransomnotes": [ - "README.TXT", - "README.HTML", - "README.BMP" - ], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/" - ] - } - }, - { - "value": "Crypren", - "description": "Ransomware", - "meta": { - "extensions": [ - ".ENCRYPTED" - ], - "ransomnotes": [ - "READ_THIS_TO_DECRYPT.html" - ], - "refs": [ - "https://github.com/pekeinfo/DecryptCrypren", - "http://www.nyxbone.com/malware/Crypren.html", - "http://www.nyxbone.com/images/articulos/malware/crypren/0.png" - ] - } - }, - { - "value": "Crypt38", - "description": "Ransomware", - "meta": { - "extensions": [ - ".crypt38" - ], - "encryption": "AES", - "refs": [ - "https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip", - "https://blog.fortinet.com/2016/06/17/buggy-russian-ransomware-inadvertently-allows-free-decryption" - ] - } - }, - { - "value": "Crypter", - "description": "Ransomware Does not actually encrypt the files, but simply renames them", - "meta": { - "refs": [ - "https://twitter.com/jiriatvirlab/status/802554159564062722" - ] - } - }, - { - "value": "CryptFIle2", - "description": "Ransomware", - "meta": { - "extensions": [ - ".scl", - "id[_ID]email_xerx@usa.com.scl" - ], - "encryption": "RSA", - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" - ] - } - }, - { - "value": "CryptInfinite", - "description": "Ransomware", - "meta": { - "extensions": [ - ".crinf" - ], - "refs": [ - "https://decrypter.emsisoft.com/" - ] - } - }, - { - "value": "CryptoBit", - "description": "Ransomware sekretzbel0ngt0us.KEY - do not confuse with CryptorBit.", - "meta": { - "encryption": "AES + RSA", - "ransomnotes": [ - "OKSOWATHAPPENDTOYOURFILES.TXT" - ], - "refs": [ - "http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/", - "http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml" - ] - } - }, - { - "value": "CryptoDefense", - "description": "Ransomware no extension change", - "meta": { - "ransomnotes": [ - "HOW_DECRYPT.TXT", - "HOW_DECRYPT.HTML", - "HOW_DECRYPT.URL" - ], - "refs": [ - "https://decrypter.emsisoft.com/" - ] - } - }, - { - "value": "CryptoFinancial", - "description": "Ransomware", - "meta": { - "synonyms": [ - "Ranscam" - ], - "refs": [ - "http://blog.talosintel.com/2016/07/ranscam.html", - "https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/" - ] - } - }, - { - "value": "CryptoFortress", - "description": "Ransomware Mimics Torrentlocker. Encrypts only 50% of each file up to 5 MB", - "meta": { - "extensions": [ - ".frtrss" - ], - "encryption": "AES-256 + RSA-1024", - "ransomnotes": [ - "READ IF YOU WANT YOUR FILES BACK.html" - ] - } - }, - { - "value": "CryptoGraphic Locker", - "description": "Ransomware Has a GUI. Subvariants: CoinVault BitCryptor", - "meta": { - "extensions": [ - ".clf" - ], - "ransomnotes": [ - "wallpaper.jpg" - ] - } - }, - { - "value": "CryptoHost", - "description": "Ransomware RAR's victim's files has a GUI", - "meta": { - "synonyms": [ - "Manamecrypt", - "Telograph", - "ROI Locker" - ], - "encryption": "AES-256 (RAR implementation)", - "refs": [ - "http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/" - ] - } - }, - { - "value": "CryptoJoker", - "description": "Ransomware", - "meta": { - "extensions": [ - ".crjoker" - ], - "encryption": "AES-256", - "ransomnotes": [ - "README!!!.txt", - "GetYouFiles.txt", - "crjoker.html" - ] - } - }, - { - "value": "CryptoLocker", - "description": "Ransomware no longer relevant", - "meta": { - "extensions": [ - ".encrypted", - ".ENC" - ], - "refs": [ - "https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.html", - "https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/" - ] - } - }, - { - "value": "CryptoLocker 1.0.0", - "description": "Ransomware", - "meta": { - "refs": [ - "https://twitter.com/malwrhunterteam/status/839747940122001408" - ] - } - }, - { - "value": "CryptoLocker 5.1", - "description": "Ransomware", - "meta": { - "refs": [ - "https://twitter.com/malwrhunterteam/status/782890104947867649" - ] - } - }, - { - "value": "CryptoMix", - "description": "Ransomware", - "meta": { - "synonyms": [ - "Zeta" - ], - "extensions": [ - ".code", - ".scl", - ".rmd", - ".lesli", - ".rdmk", - ".CRYPTOSHIELD", - ".CRYPTOSHIEL", - ".id_(ID_MACHINE)_email_xoomx@dr.com_.code", - ".id_*_email_zeta@dr.com", - ".id_(ID_MACHINE)_email_anx@dr.com_.scl", - ".email[supl0@post.com]id[\\[[a-z0-9]{16}\\]].lesli", - "*filename*.email[*email*]_id[*id*].rdmk", - ".EMPTY", - ".0000", - ".XZZX", - ".TEST", - ".WORK", - ".SYSTEM" - ], - "ransomnotes": [ - "HELP_YOUR_FILES.html (CryptXXX)", - "HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)", - "INSTRUCTION RESTORE FILE.TXT", - "# HELP_DECRYPT_YOUR_FILES #.TXT", - "_HELP_INSTRUCTION.TXT", - "C:\\ProgramData\\[random].exe", - "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nempty01@techmail.info\n\nempty02@yahooweb.co\n\nempty003@protonmail.com\n\nWe will help You as soon as possible!\n\nDECRYPT-ID-[id] number", - "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]", - "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nxzzx@tuta.io\n\nxzzx1@protonmail.com\n\nxzzx10@yandex.com\n\nxzzx101@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id] number", - "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ntest757@tuta.io\n\ntest757@protonmail.com\n\ntest757xz@yandex.com\n\ntest757xy@yandex.com\n\ntest757@consultant.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number", - "Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number", - "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number" - ], - "refs": [ - "http://www.nyxbone.com/malware/CryptoMix.html", - "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", - "https://twitter.com/JakubKroustek/status/804009831518572544", - "https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomware-variant-released/", - "https://www.bleepingcomputer.com/news/security/0000-cryptomix-ransomware-variant-released/", - "https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-variant-released/", - "https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/", - "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", - "https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/" - ] - } - }, - { - "value": "CryptoRansomeware", - "description": "Ransomware", - "meta": { - "refs": [ - "https://twitter.com/malwrhunterteam/status/817672617658347521" - ] - } - }, - { - "value": "CryptoRoger", - "description": "Ransomware", - "meta": { - "extensions": [ - ".crptrgr" - ], - "encryption": "AES", - "ransomnotes": [ - "!Where_are_my_files!.html" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/new-ransomware-called-cryptoroger-that-appends-crptrgr-to-encrypted-files/" - ] - } - }, - { - "value": "CryptoShadow", - "description": "Ransomware", - "meta": { - "extensions": [ - ".doomed" - ], - "ransomnotes": [ - "LEER_INMEDIATAMENTE.txt" - ], - "refs": [ - "https://twitter.com/struppigel/status/821992610164277248" - ] - } - }, - { - "value": "CryptoShocker", - "description": "Ransomware", - "meta": { - "extensions": [ - ".locked" - ], - "encryption": "AES", - "ransomnotes": [ - "ATTENTION.url" - ], - "refs": [ - "http://www.bleepingcomputer.com/forums/t/617601/cryptoshocker-ransomware-help-and-support-topic-locked-attentionurl/" - ] - } - }, - { - "value": "CryptoTorLocker2015", - "description": "Ransomware", - "meta": { - "extensions": [ - ".CryptoTorLocker2015!" - ], - "ransomnotes": [ - "HOW TO DECRYPT FILES.txt", - "%Temp%\\.bmp" - ], - "refs": [ - "http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/" - ] - } - }, - { - "value": "CryptoTrooper", - "description": "Ransomware", - "meta": { - "encryption": "AES", - "refs": [ - "http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml" - ] - } - }, - { - "value": "CryptoWall 1", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "DECRYPT_INSTRUCTION.HTM", - "DECRYPT_INSTRUCTION.TXT", - "DECRYPT_INSTRUCTION.URL", - "INSTALL_TOR.URL" - ] - } - }, - { - "value": "CryptoWall 2", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "HELP_DECRYPT.TXT", - "HELP_DECRYPT.PNG", - "HELP_DECRYPT.URL", - "HELP_DECRYPT.HTML" - ] - } - }, - { - "value": "CryptoWall 3", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "HELP_DECRYPT.TXT", - "HELP_DECRYPT.PNG", - "HELP_DECRYPT.URL", - "HELP_DECRYPT.HTML" - ], - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/", - "https://www.virustotal.com/en/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/" - ] - } - }, - { - "value": "CryptoWall 4", - "description": "Ransomware", - "meta": { - "extensions": [ - "., e.g. ,27p9k967z.x1nep" - ], - "ransomnotes": [ - "HELP_YOUR_FILES.HTML", - "HELP_YOUR_FILES.PNG" - ] - } - }, - { - "value": "CryptXXX", - "description": "Ransomware Comes with Bedep", - "meta": { - "synonyms": [ - "CryptProjectXXX" - ], - "extensions": [ - ".crypt" - ], - "ransomnotes": [ - "de_crypt_readme.bmp, .txt, .html" - ], - "refs": [ - "https://support.kaspersky.com/viruses/disinfection/8547", - "http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information" - ] - } - }, - { - "value": "CryptXXX 2.0", - "description": "Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.", - "meta": { - "synonyms": [ - "CryptProjectXXX" - ], - "extensions": [ - ".crypt" - ], - "ransomnotes": [ - ".txt, .html, .bmp" - ], - "refs": [ - "https://support.kaspersky.com/viruses/disinfection/8547", - "https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool", - "http://blogs.cisco.com/security/cryptxxx-technical-deep-dive" - ] - } - }, - { - "value": "CryptXXX 3.0", - "description": "Ransomware Comes with Bedep", - "meta": { - "synonyms": [ - "UltraDeCrypter", - "UltraCrypter" - ], - "extensions": [ - ".crypt", - ".cryp1", - ".crypz", - ".cryptz", - "random" - ], - "refs": [ - "https://support.kaspersky.com/viruses/disinfection/8547", - "http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/", - "http://blogs.cisco.com/security/cryptxxx-technical-deep-dive" - ] - } - }, - { - "value": "CryptXXX 3.1", - "description": "Ransomware StilerX credential stealing", - "meta": { - "extensions": [ - ".cryp1" - ], - "refs": [ - "https://support.kaspersky.com/viruses/disinfection/8547", - "https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100" - ] - } - }, - { - "value": "CryPy", - "description": "Ransomware", - "meta": { - "extensions": [ - ".cry" - ], - "encryption": "AES", - "ransomnotes": [ - "README_FOR_DECRYPT.txt" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-job-imitating-ctb-locker/" - ] - } - }, - { - "value": "CTB-Faker", - "description": "Ransomware", - "meta": { - "synonyms": [ - "Citroni" - ], - "extensions": [ - ".ctbl", - ".([a-z]{6,7})" - ], - "encryption": "RSA-2048", - "ransomnotes": [ - "AllFilesAreLocked .bmp", - "DecryptAllFiles .txt", - ".html" - ] - } - }, - { - "value": "CTB-Locker WEB", - "description": "Ransomware websites only", - "meta": { - "refs": [ - "https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/", - "https://github.com/eyecatchup/Critroni-php" - ] - } - }, - { - "value": "CuteRansomware", - "description": "Ransomware Based on my-Little-Ransomware", - "meta": { - "synonyms": [ - "my-Little-Ransomware" - ], - "extensions": [ - ".已加密", - ".encrypted" - ], - "encryption": "AES-128", - "ransomnotes": [ - "你的檔案被我們加密啦!!!.txt", - "Your files encrypted by our friends !!! txt" - ], - "refs": [ - "https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool", - "https://github.com/aaaddress1/my-Little-Ransomware" - ] - } - }, - { - "value": "Cyber SpLiTTer Vbs", - "description": "Ransomware Based on HiddenTear", - "meta": { - "synonyms": [ - "CyberSplitter" - ], - "refs": [ - "https://twitter.com/struppigel/status/778871886616862720", - "https://twitter.com/struppigel/status/806758133720698881" - ] - } - }, - { - "value": "Death Bitches", - "description": "Ransomware", - "meta": { - "extensions": [ - ".locked" - ], - "ransomnotes": [ - "READ_IT.txt" - ], - "refs": [ - "https://twitter.com/JaromirHorejsi/status/815555258478981121" - ] - } - }, - { - "value": "DeCrypt Protect", - "description": "Ransomware", - "meta": { - "extensions": [ - ".html" - ], - "refs": [ - "http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/" - ] - } - }, - { - "value": "DEDCryptor", - "description": "Ransomware Based on EDA2", - "meta": { - "extensions": [ - ".ded" - ], - "encryption": "AES-256", - "refs": [ - "http://www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded-help-support-topic/", - "http://www.nyxbone.com/malware/DEDCryptor.html" - ] - } - }, - { - "value": "Demo", - "description": "Ransomware only encrypts .jpg files", - "meta": { - "extensions": [ - ".encrypted" - ], - "ransomnotes": [ - "HELP_YOUR_FILES.txt" - ], - "refs": [ - "https://twitter.com/struppigel/status/798573300779745281" - ] - } - }, - { - "value": "DetoxCrypto", - "description": "Ransomware - Based on Detox: Calipso, We are all Pokemons, Nullbyte", - "meta": { - "encryption": "AES", - "refs": [ - "http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/" - ] - } - }, - { - "value": "Digisom", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "Digisom Readme0.txt (0 to 9)" - ], - "refs": [ - "https://twitter.com/PolarToffee/status/829727052316160000" - ] - } - }, - { - "value": "DirtyDecrypt", - "description": "Ransomware", - "meta": { - "refs": [ - "https://twitter.com/demonslay335/status/752586334527709184" - ] - } - }, - { - "value": "DMALocker", - "description": "Ransomware no extension change Encrypted files have prefix: Version 1: ABCXYZ11 - Version 2: !DMALOCK - Version 3: !DMALOCK3.0 - Version 4: !DMALOCK4.0", - "meta": { - "encryption": "AES-256 in ECB mode, Version 2-4 also RSA", - "ransomnotes": [ - "cryptinfo.txt", - "decrypting.txt", - "start.txt" - ], - "refs": [ - "https://decrypter.emsisoft.com/", - "https://github.com/hasherezade/dma_unlocker", - "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", - "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/" - ] - } - }, - { - "value": "DMALocker 3.0", - "description": "Ransomware", - "meta": { - "encryption": "AES-256 + XPTLOCK5.0", - "refs": [ - "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", - "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/" - ] - } - }, - { - "value": "DNRansomware", - "description": "Ransomware Code to decrypt: 83KYG9NW-3K39V-2T3HJ-93F3Q-GT", - "meta": { - "extensions": [ - ".fucked" - ], - "refs": [ - "https://twitter.com/BleepinComputer/status/822500056511213568" - ] - } - }, - { - "value": "Domino", - "description": "Ransomware Based on Hidden Tear", - "meta": { - "extensions": [ - ".domino" - ], - "encryption": "AES-256", - "ransomnotes": [ - "README_TO_RECURE_YOUR_FILES.txt" - ], - "refs": [ - "http://www.nyxbone.com/malware/Domino.html", - "http://www.bleepingcomputer.com/news/security/the-curious-case-of-the-domino-ransomware-a-windows-crack-and-a-cow/" - ] - } - }, - { - "value": "DoNotChange", - "description": "Ransomware", - "meta": { - "extensions": [ - ".id-7ES642406.cry", - ".Do_not_change_the_filename" - ], - "encryption": "AES-128", - "ransomnotes": [ - "HOW TO DECODE FILES!!!.txt", - "КАК РАСШИФРОВАТЬ ФАЙЛЫ!!!.txt" - ], - "refs": [ - "https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/" - ] - } - }, - { - "value": "DummyLocker", - "description": "Ransomware", - "meta": { - "extensions": [ - ".dCrypt" - ], - "refs": [ - "https://twitter.com/struppigel/status/794108322932785158" - ] - } - }, - { - "value": "DXXD", - "description": "Ransomware", - "meta": { - "extensions": [ - ".dxxd" - ], - "ransomnotes": [ - "ReadMe.TxT" - ], - "refs": [ - "https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/", - "https://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal-notice-before-users-login/" - ] - } - }, - { - "value": "HiddenTear", - "description": "Ransomware Open sourced C#", - "meta": { - "synonyms": [ - "Cryptear", - "EDA2" - ], - "extensions": [ - ".locked" - ], - "encryption": "AES-256", - "refs": [ - "http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html" - ] - } - }, - { - "value": "EduCrypt", - "description": "Ransomware Based on Hidden Tear", - "meta": { - "synonyms": [ - "EduCrypter" - ], - "extensions": [ - ".isis", - ".locked" - ], - "ransomnotes": [ - "README.txt" - ], - "refs": [ - "http://www.filedropper.com/decrypter_1", - "https://twitter.com/JakubKroustek/status/747031171347910656" - ] - } - }, - { - "value": "EiTest", - "description": "Ransomware", - "meta": { - "extensions": [ - ".crypted" - ], - "refs": [ - "https://twitter.com/BroadAnalysis/status/845688819533930497", - "https://twitter.com/malwrhunterteam/status/845652520202616832" - ] - } - }, - { - "value": "El-Polocker", - "description": "Ransomware Has a GUI", - "meta": { - "synonyms": [ - "Los Pollos Hermanos" - ], - "extensions": [ - ".ha3" - ], - "ransomnotes": [ - "qwer.html", - "qwer2.html", - "locked.bmp" - ] - } - }, - { - "value": "Encoder.xxxx", - "description": "Ransomware Coded in GO", - "meta": { - "synonyms": [ - "Trojan.Encoder.6491" - ], - "ransomnotes": [ - "Instructions.html" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/", - "http://vms.drweb.ru/virus/?_is=1&i=8747343" - ] - } - }, - { - "value": "encryptoJJS", - "description": "Ransomware", - "meta": { - "extensions": [ - ".enc" - ], - "ransomnotes": [ - "How to recover.enc" - ] - } - }, - { - "value": "Enigma", - "description": "Ransomware", - "meta": { - "extensions": [ - ".enigma", - ".1txt" - ], - "encryption": "AES-128", - "ransomnotes": [ - "enigma.hta", - "enigma_encr.txt", - "enigma_info.txt" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/" - ] - } - }, - { - "value": "Enjey", - "description": "Ransomware Based on RemindMe", - "meta": { - "refs": [ - "https://twitter.com/malwrhunterteam/status/839022018230112256" - ] - } - }, - { - "value": "Fairware", - "description": "Ransomware Target Linux O.S.", - "meta": { - "refs": [ - "http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/" - ] - } - }, - { - "value": "Fakben", - "description": "Ransomware Based on Hidden Tear", - "meta": { - "extensions": [ - ".locked" - ], - "ransomnotes": [ - "READ ME FOR DECRYPT.txt" - ], - "refs": [ - "https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code" - ] - } - }, - { - "value": "FakeCryptoLocker", - "description": "Ransomware", - "meta": { - "extensions": [ - ".cryptolocker" - ], - "refs": [ - "https://twitter.com/PolarToffee/status/812312402779836416" - ] - } - }, - { - "value": "Fantom", - "description": "Ransomware Based on EDA2", - "meta": { - "synonyms": [ - "Comrad Circle" - ], - "extensions": [ - ".fantom", - ".comrade" - ], - "encryption": "AES-128", - "ransomnotes": [ - "DECRYPT_YOUR_FILES.HTML", - "RESTORE-FILES![id]" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/" - ] - } - }, - { - "value": "FenixLocker", - "description": "Ransomware", - "meta": { - "extensions": [ - ".FenixIloveyou!!" - ], - "ransomnotes": [ - "Help to decrypt.txt" - ], - "refs": [ - "https://decrypter.emsisoft.com/fenixlocker", - "https://twitter.com/fwosar/status/777197255057084416" - ] - } - }, - { - "value": "FILE FROZR", - "description": "Ransomware RaaS", - "meta": { - "refs": [ - "https://twitter.com/rommeljoven17/status/846973265650335744" - ] - } - }, - { - "value": "FileLocker", - "description": "Ransomware", - "meta": { - "extensions": [ - ".ENCR" - ], - "refs": [ - "https://twitter.com/jiriatvirlab/status/836616468775251968" - ] - } - }, - { - "value": "FireCrypt", - "description": "Ransomware", - "meta": { - "extensions": [ - ".firecrypt" - ], - "encryption": "AES-256", - "ransomnotes": [ - "[random_chars]-READ_ME.html" - ], - "refs": [ - "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" - ] - } - }, - { - "value": "Flyper", - "description": "Ransomware Based on EDA2 / HiddenTear", - "meta": { - "extensions": [ - ".locked" - ], - "refs": [ - "https://twitter.com/malwrhunterteam/status/773771485643149312" - ] - } - }, - { - "value": "Fonco", - "description": "Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents", - "meta": { - "ransomnotes": [ - "help-file-decrypt.enc", - "/pronk.txt" - ] - } - }, - { - "value": "FortuneCookie ", - "description": "Ransomware", - "meta": { - "refs": [ - "https://twitter.com/struppigel/status/842302481774321664" - ] - } - }, - { - "value": "Free-Freedom", - "description": "Ransomware Unlock code is: adam or adamdude9", - "meta": { - "synonyms": [ - "Roga" - ], - "extensions": [ - ".madebyadam" - ], - "refs": [ - "https://twitter.com/BleepinComputer/status/812135608374226944" - ] - } - }, - { - "value": "FSociety", - "description": "Ransomware Based on EDA2 and RemindMe", - "meta": { - "extensions": [ - ".fs0ciety", - ".dll" - ], - "ransomnotes": [ - "fs0ciety.html", - "DECRYPT_YOUR_FILES.HTML" - ], - "refs": [ - "https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-help-support-fs0cietyhtml/", - "http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homage-to-mr-robot/", - "https://twitter.com/siri_urz/status/795969998707720193" - ] - } - }, - { - "value": "Fury", - "description": "Ransomware", - "meta": { - "refs": [ - "https://support.kaspersky.com/viruses/disinfection/8547" - ] - } - }, - { - "value": "GhostCrypt", - "description": "Ransomware Based on Hidden Tear", - "meta": { - "extensions": [ - ".Z81928819" - ], - "encryption": "AES-256", - "refs": [ - "https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip", - "http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-this-filetxt/" - ] - } - }, - { - "value": "Gingerbread", - "description": "Ransomware", - "meta": { - "refs": [ - "https://twitter.com/ni_fi_70/status/796353782699425792" - ] - } - }, - { - "value": "Globe v1", - "description": "Ransomware", - "meta": { - "synonyms": [ - "Purge" - ], - "extensions": [ - ".purge" - ], - "encryption": "Blowfish", - "ransomnotes": [ - "How to restore files.hta" - ], - "refs": [ - "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221", - "http://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/" - ] - } - }, - { - "value": "GNL Locker", - "description": "Ransomware Only encrypts DE or NL country. Variants, from old to latest: Zyklon Locker, WildFire locker, Hades Locker", - "meta": { - "extensions": [ - ".locked", - ".locked, e.g., bill.!ID!8MMnF!ID!.locked" - ], - "encryption": "AES-256", - "ransomnotes": [ - "UNLOCK_FILES_INSTRUCTIONS.html and .txt" - ], - "refs": [ - "http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/" - ] - } - }, - { - "value": "Gomasom", - "description": "Ransomware", - "meta": { - "extensions": [ - ".crypt", - "!___[EMAILADDRESS]_.crypt" - ], - "refs": [ - "https://decrypter.emsisoft.com/" - ] - } - }, - { - "value": "Goopic", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "Your files have been crypted.html" - ], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" - ] - } - }, - { - "value": "Gopher", - "description": "Ransomware OS X ransomware (PoC)" - }, - { - "value": "Hacked", - "description": "Ransomware Jigsaw Ransomware variant", - "meta": { - "extensions": [ - ".versiegelt", - ".encrypted", - ".payrmts", - ".locked", - ".Locked" - ], - "refs": [ - "https://twitter.com/demonslay335/status/806878803507101696" - ] - } - }, - { - "value": "HappyDayzz", - "description": "Ransomware", - "meta": { - "encryption": "3DES, AES-128, AES-192, AES-256, DES, RC2, RC4", - "refs": [ - "https://twitter.com/malwrhunterteam/status/847114064224497666" - ] - } - }, - { - "value": "Harasom", - "description": "Ransomware", - "meta": { - "extensions": [ - ".html" - ], - "refs": [ - "https://decrypter.emsisoft.com/" - ] - } - }, - { - "value": "HDDCryptor", - "description": "Ransomware Uses https://diskcryptor.net for full disk encryption", - "meta": { - "synonyms": [ - "Mamba" - ], - "encryption": "Custom (net shares), XTS-AES (disk)", - "refs": [ - "https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho", - "blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" - ] - } - }, - { - "value": "Heimdall", - "description": "Ransomware File marker: \"Heimdall---\"", - "meta": { - "encryption": "AES-128-CBC", - "refs": [ - "https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/" - ] - } - }, - { - "value": "Help_dcfile", - "description": "Ransomware", - "meta": { - "extensions": [ - ".XXX" - ], - "ransomnotes": [ - "help_dcfile.txt" - ] - } - }, - { - "value": "Herbst", - "description": "Ransomware", - "meta": { - "extensions": [ - ".herbst" - ], - "encryption": "AES-256", - "refs": [ - "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" - ] - } - }, - { - "value": "Hi Buddy!", - "description": "Ransomware Based on HiddenTear", - "meta": { - "extensions": [ - ".cry" - ], - "encryption": "AES-256", - "refs": [ - "http://www.nyxbone.com/malware/hibuddy.html" - ] - } - }, - { - "value": "Hitler", - "description": "Ransomware Deletes files", - "meta": { - "extensions": [ - "removes extensions" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/development-version-of-the-hitler-ransomware-discovered/", - "https://twitter.com/jiriatvirlab/status/825310545800740864" - ] - } - }, - { - "value": "HolyCrypt", - "description": "Ransomware", - "meta": { - "extensions": [ - "(encrypted)" - ], - "encryption": "AES", - "refs": [ - "http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/" - ] - } - }, - { - "value": "HTCryptor", - "description": "Ransomware Includes a feature to disable the victim's windows firewall Modified in-dev HiddenTear", - "meta": { - "refs": [ - "https://twitter.com/BleepinComputer/status/803288396814839808" - ] - } - }, - { - "value": "HydraCrypt", - "description": "Ransomware CrypBoss Family", - "meta": { - "extensions": [ - "hydracrypt_ID_[\\w]{8}" - ], - "ransomnotes": [ - "README_DECRYPT_HYRDA_ID_[ID number].txt" - ], - "refs": [ - "https://decrypter.emsisoft.com/", - "http://www.malware-traffic-analysis.net/2016/02/03/index2.html" - ] - } - }, - { - "value": "iLock", - "description": "Ransomware", - "meta": { - "extensions": [ - ".crime" - ], - "refs": [ - "https://twitter.com/BleepinComputer/status/817085367144873985" - ] - } - }, - { - "value": "iLockLight", - "description": "Ransomware", - "meta": { - "extensions": [ - ".crime" - ] - } - }, - { - "value": "International Police Association", - "description": "Ransomware CryptoTorLocker2015 variant", - "meta": { - "extensions": [ - "<6 random characters>" - ], - "ransomnotes": [ - "%Temp%\\.bmp" - ], - "refs": [ - "http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe" - ] - } - }, - { - "value": "iRansom", - "description": "Ransomware", - "meta": { - "extensions": [ - ".Locked" - ], - "refs": [ - "https://twitter.com/demonslay335/status/796134264744083460" - ] - } - }, - { - "value": "JagerDecryptor", - "description": "Ransomware Prepends filenames", - "meta": { - "extensions": [ - "!ENC" - ], - "ransomnotes": [ - "Important_Read_Me.html" - ], - "refs": [ - "https://twitter.com/JakubKroustek/status/757873976047697920" - ] - } - }, - { - "value": "Jeiphoos", - "description": "Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.", - "meta": { - "synonyms": [ - "Encryptor RaaS", - "Sarento" - ], - "encryption": "RC6 (files), RSA 2048 (RC6 key)", - "ransomnotes": [ - "readme_liesmich_encryptor_raas.txt" - ], - "refs": [ - "http://www.nyxbone.com/malware/RaaS.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-and-fall-of-encryptor-raas/" - ] - } - }, - { - "value": "Jhon Woddy", - "description": "Ransomware Same codebase as DNRansomware Lock screen password is M3VZ>5BwGGVH", - "meta": { - "extensions": [ - ".killedXXX" - ], - "refs": [ - "https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip", - "https://twitter.com/BleepinComputer/status/822509105487245317" - ] - } - }, - { - "value": "Jigsaw", - "description": "Ransomware Has a GUI", - "meta": { - "synonyms": [ - "CryptoHitMan" - ], - "extensions": [ - ".btc", - ".kkk", - ".fun", - ".gws", - ".porno", - ".payransom", - ".payms", - ".paymst", - ".AFD", - ".paybtcs", - ".epic", - ".xyz", - ".encrypted", - ".hush", - ".paytounlock", - ".uk-dealer@sigaint.org", - ".gefickt", - ".nemo-hacks.at.sigaint.org" - ], - "encryption": "AES-256", - "refs": [ - "http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/", - "https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/", - "https://twitter.com/demonslay335/status/795819556166139905" - ] - } - }, - { - "value": "Job Crypter", - "description": "Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC", - "meta": { - "extensions": [ - ".locked", - ".css" - ], - "encryption": "TripleDES", - "ransomnotes": [ - "Comment débloquer mes fichiers.txt", - "Readme.txt" - ], - "refs": [ - "http://www.nyxbone.com/malware/jobcrypter.html", - "http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html", - "https://twitter.com/malwrhunterteam/status/828914052973858816" - ] - } - }, - { - "value": "JohnyCryptor", - "description": "Ransomware" - }, - { - "value": "KawaiiLocker", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "How Decrypt Files.txt" - ], - "refs": [ - "https://safezone.cc/resources/kawaii-decryptor.195/" - ] - } - }, - { - "value": "KeRanger", - "description": "Ransomware OS X Ransomware", - "meta": { - "extensions": [ - ".encrypted" - ], - "encryption": "AES", - "refs": [ - "http://news.drweb.com/show/?i=9877&lng=en&c=5", - "http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/" - ] - } - }, - { - "value": "KeyBTC", - "description": "Ransomware", - "meta": { - "extensions": [ - "keybtc@inbox_com" - ], - "ransomnotes": [ - "DECRYPT_YOUR_FILES.txt", - "READ.txt", - "readme.txt" - ], - "refs": [ - "https://decrypter.emsisoft.com/" - ] - } - }, - { - "value": "KEYHolder", - "description": "Ransomware via remote attacker. tuyuljahat@hotmail.com contact address", - "meta": { - "ransomnotes": [ - "how_decrypt.gif", - "how_decrypt.html" - ], - "refs": [ - "http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml" - ] - } - }, - { - "value": "KillerLocker", - "description": "Ransomware Possibly Portuguese dev", - "meta": { - "extensions": [ - ".rip" - ], - "refs": [ - "https://twitter.com/malwrhunterteam/status/782232299840634881" - ] - } - }, - { - "value": "KimcilWare", - "description": "Ransomware websites only", - "meta": { - "extensions": [ - ".kimcilware", - ".locked" - ], - "encryption": "AES", - "refs": [ - "https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it", - "http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/" - ] - } - }, - { - "value": "Korean", - "description": "Ransomware Based on HiddenTear", - "meta": { - "extensions": [ - ".암호화됨" - ], - "encryption": "AES-256", - "ransomnotes": [ - "ReadMe.txt" - ], - "refs": [ - "http://www.nyxbone.com/malware/koreanRansom.html" - ] - } - }, - { - "value": "Kozy.Jozy", - "description": "Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com", - "meta": { - "synonyms": [ - "QC" - ], - "extensions": [ - ".31392E30362E32303136_[ID-KEY]_LSBJ1", - ".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})" - ], - "encryption": "RSA-2048", - "ransomnotes": [ - "w.jpg" - ], - "refs": [ - "http://www.nyxbone.com/malware/KozyJozy.html", - "http://www.bleepingcomputer.com/forums/t/617802/kozyjozy-ransomware-help-support-wjpg-31392e30362e32303136-num-lsbj1/" - ] - } - }, - { - "value": "KratosCrypt", - "description": "Ransomware kratosdimetrici@gmail.com", - "meta": { - "extensions": [ - ".kratos" - ], - "ransomnotes": [ - "README_ALL.html" - ], - "refs": [ - "https://twitter.com/demonslay335/status/746090483722686465" - ] - } - }, - { - "value": "KryptoLocker", - "description": "Ransomware Based on HiddenTear", - "meta": { - "encryption": "AES-256", - "ransomnotes": [ - "KryptoLocker_README.txt" - ] - } - }, - { - "value": "LanRan", - "description": "Ransomware Variant of open-source MyLittleRansomware", - "meta": { - "ransomnotes": [ - "@__help__@" - ], - "refs": [ - "https://twitter.com/struppigel/status/847689644854595584" - ] - } - }, - { - "value": "LeChiffre", - "description": "Ransomware Encrypts first 0x2000 and last 0x2000 bytes. Via remote attacker", - "meta": { - "extensions": [ - ".LeChiffre" - ], - "ransomnotes": [ - "How to decrypt LeChiffre files.html" - ], - "refs": [ - "https://decrypter.emsisoft.com/lechiffre", - "https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/" - ] - } - }, - { - "value": "Lick", - "description": "Ransomware Variant of Kirk", - "meta": { - "extensions": [ - ".Licked" - ], - "ransomnotes": [ - "RANSOM_NOTE.txt" - ], - "refs": [ - "https://twitter.com/JakubKroustek/status/842404866614038529" - ] - } - }, - { - "value": "Linux.Encoder", - "description": "Ransomware Linux Ransomware", - "meta": { - "synonyms": [ - "Linux.Encoder.{0,3}" - ], - "refs": [ - "https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/" - ] - } - }, - { - "value": "LK Encryption", - "description": "Ransomware Based on HiddenTear", - "meta": { - "refs": [ - "https://twitter.com/malwrhunterteam/status/845183290873044994" - ] - } - }, - { - "value": "LLTP Locker", - "description": "Ransomware Targeting Spanish speaking victims", - "meta": { - "extensions": [ - ".ENCRYPTED_BY_LLTP", - ".ENCRYPTED_BY_LLTPp" - ], - "encryption": "AES-256", - "ransomnotes": [ - "LEAME.txt" - ], - "refs": [ - "https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/" - ] - } - }, - { - "value": "Locker", - "description": "Ransomware has GUI", - "meta": { - "refs": [ - "http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545" - ] - } - }, - { - "value": "LockLock", - "description": "Ransomware", - "meta": { - "extensions": [ - ".locklock" - ], - "encryption": "AES-256", - "ransomnotes": [ - "READ_ME.TXT" - ], - "refs": [ - "https://www.bleepingcomputer.com/forums/t/626750/locklock-ransomware-locklock-help-support/" - ] - } - }, - { - "value": "Locky", - "description": "Ransomware Affiliations with Dridex and Necurs botnets", - "meta": { - "extensions": [ - ".locky", - ".zepto", - ".odin", - ".shit", - ".thor", - ".aesir", - ".zzzzz", - ".osiris", - "([A-F0-9]{32}).locky", - "([A-F0-9]{32}).zepto", - "([A-F0-9]{32}).odin", - "([A-F0-9]{32}).shit", - "([A-F0-9]{32}).thor", - "([A-F0-9]{32}).aesir", - "([A-F0-9]{32}).zzzzz", - "([A-F0-9]{32}).osiris", - ".lukitus" - ], - "encryption": "AES-128", - "ransomnotes": [ - "_Locky_recover_instructions.txt", - "_Locky_recover_instructions.bmp", - "_HELP_instructions.txt", - "_HELP_instructions.bmp", - "_HOWDO_text.html", - "_WHAT_is.html", - "_INSTRUCTION.html", - "DesktopOSIRIS.(bmp|htm)", - "OSIRIS-[0-9]{4}.htm", - "lukitus.htm", - "lukitus.bmp." - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-locky-ransomware-spotted-in-the-brazilian-underground-market-uses-windows-script-files/", - "https://nakedsecurity.sophos.com/2016/10/06/odin-ransomware-takes-over-from-zepto-and-locky/", - "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/" - ] - } - }, - { - "value": "Lortok", - "description": "Ransomware", - "meta": { - "extensions": [ - ".crime" - ] - } - }, - { - "value": "LowLevel04", - "description": "Ransomware Prepends filenames", - "meta": { - "extensions": [ - "oor." - ] - } - }, - { - "value": "M4N1F3STO", - "description": "Ransomware Does not encrypt Unlock code=suckmydicknigga", - "meta": { - "refs": [ - "https://twitter.com/jiriatvirlab/status/808015275367002113" - ] - } - }, - { - "value": "Mabouia", - "description": "Ransomware OS X ransomware (PoC)" - }, - { - "value": "MacAndChess", - "description": "Ransomware Based on HiddenTear" - }, - { - "value": "Magic", - "description": "Ransomware Based on EDA2", - "meta": { - "extensions": [ - ".magic" - ], - "encryption": "AES-256", - "ransomnotes": [ - "DECRYPT_ReadMe1.TXT", - "DECRYPT_ReadMe.TXT" - ] - } - }, - { - "value": "MaktubLocker", - "description": "Ransomware", - "meta": { - "extensions": [ - "[a-z]{4,6}" - ], - "encryption": "AES-256 + RSA-2048", - "ransomnotes": [ - "_DECRYPT_INFO_[extension pattern].html" - ], - "refs": [ - "https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" - ] - } - }, - { - "value": "MarsJoke", - "description": "Ransomware", - "meta": { - "extensions": [ - ".a19", - ".ap19" - ], - "ransomnotes": [ - "!!! Readme For Decrypt !!!.txt", - "ReadMeFilesDecrypt!!!.txt" - ], - "refs": [ - "https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/", - "https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker" - ] - } - }, - { - "value": "Meister", - "description": "Ransomware Targeting French victims", - "meta": { - "refs": [ - "https://twitter.com/siri_urz/status/840913419024945152" - ] - } - }, - { - "value": "Meteoritan", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "where_are_your_files.txt", - "readme_your_files_have_been_encrypted.txt" - ], - "refs": [ - "https://twitter.com/malwrhunterteam/status/844614889620561924" - ] - } - }, - { - "value": "MIRCOP", - "description": "Ransomware Prepends files Demands 48.48 BTC", - "meta": { - "synonyms": [ - "Crypt888" - ], - "extensions": [ - "Lock." - ], - "encryption": "AES", - "refs": [ - "http://www.bleepingcomputer.com/forums/t/618457/microcop-ransomware-help-support-lock-mircop/", - "https://www.avast.com/ransomware-decryption-tools#!", - "http://blog.trendmicro.com/trendlabs-security-intelligence/instruction-less-ransomware-mircop-channels-guy-fawkes/", - "http://www.nyxbone.com/malware/Mircop.html" - ] - } - }, - { - "value": "MireWare", - "description": "Ransomware Based on HiddenTear", - "meta": { - "extensions": [ - ".fucked", - ".fuck" - ], - "encryption": "AES-256", - "ransomnotes": [ - "READ_IT.txt" - ] - } - }, - { - "value": "Mischa", - "description": "Ransomware Packaged with Petya PDFBewerbungsmappe.exe", - "meta": { - "synonyms": [ - "\"Petya's little brother\"" - ], - "extensions": [ - ".([a-zA-Z0-9]{4})" - ], - "ransomnotes": [ - "YOUR_FILES_ARE_ENCRYPTED.HTML", - "YOUR_FILES_ARE_ENCRYPTED.TXT " - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/" - ] - } - }, - { - "value": "MM Locker", - "description": "Ransomware Based on EDA2", - "meta": { - "synonyms": [ - "Booyah" - ], - "extensions": [ - ".locked" - ], - "encryption": "AES-256", - "ransomnotes": [ - "READ_IT.txt" - ], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" - ] - } - }, - { - "value": "Mobef", - "description": "Ransomware", - "meta": { - "synonyms": [ - "Yakes", - "CryptoBit" - ], - "extensions": [ - ".KEYZ", - ".KEYH0LES" - ], - "ransomnotes": [ - "4-14-2016-INFECTION.TXT", - "IMPORTANT.README" - ], - "refs": [ - "http://nyxbone.com/malware/Mobef.html", - "http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/", - "http://nyxbone.com/images/articulos/malware/mobef/0.png" - ] - } - }, - { - "value": "Monument", - "description": "Ransomware Use the DarkLocker 5 porn screenlocker - Jigsaw variant", - "meta": { - "refs": [ - "https://twitter.com/malwrhunterteam/status/844826339186135040" - ] - } - }, - { - "value": "N-Splitter", - "description": "Ransomware Russian Koolova Variant", - "meta": { - "extensions": [ - ".кибер разветвитель" - ], - "refs": [ - "https://twitter.com/JakubKroustek/status/815961663644008448", - "https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q" - ] - } - }, - { - "value": "n1n1n1", - "description": "Ransomware Filemaker: \"333333333333\"", - "meta": { - "ransomnotes": [ - "decrypt explanations.html" - ], - "refs": [ - "https://twitter.com/demonslay335/status/790608484303712256", - "https://twitter.com/demonslay335/status/831891344897482754" - ] - } - }, - { - "value": "NanoLocker", - "description": "Ransomware no extension change, has a GUI", - "meta": { - "encryption": "AES-256 + RSA", - "ransomnotes": [ - "ATTENTION.RTF" - ], - "refs": [ - "http://github.com/Cyberclues/nanolocker-decryptor" - ] - } - }, - { - "value": "Nemucod", - "description": "Ransomware 7zip (a0.exe) variant cannot be decrypted Encrypts the first 2048 Bytes", - "meta": { - "extensions": [ - ".crypted" - ], - "encryption": "XOR(255) + 7zip", - "ransomnotes": [ - "Decrypted.txt" - ], - "refs": [ - "https://decrypter.emsisoft.com/nemucod", - "https://github.com/Antelox/NemucodFR", - "http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/", - "https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/" - ] - } - }, - { - "value": "Netix", - "description": "Ransomware", - "meta": { - "synonyms": [ - "RANSOM_NETIX.A" - ], - "extensions": [ - "AES-256" - ], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/" - ] - } - }, - { - "value": "Nhtnwcuf", - "description": "Ransomware Does not encrypt the files / Files are destroyed", - "meta": { - "ransomnotes": [ - "!_RECOVERY_HELP_!.txt", - "HELP_ME_PLEASE.txt" - ], - "refs": [ - "https://twitter.com/demonslay335/status/839221457360195589" - ] - } - }, - { - "value": "NMoreira", - "description": "Ransomware", - "meta": { - "synonyms": [ - "XRatTeam", - "XPan" - ], - "extensions": [ - ".maktub", - ".__AiraCropEncrypted!" - ], - "encryption": "mix of RSA and AES-256", - "ransomnotes": [ - "Recupere seus arquivos. Leia-me!.txt" - ], - "refs": [ - "https://decrypter.emsisoft.com/nmoreira", - "https://twitter.com/fwosar/status/803682662481174528" - ] - } - }, - { - "value": "NoobCrypt", - "description": "Ransomware", - "meta": { - "refs": [ - "https://twitter.com/JakubKroustek/status/757267550346641408", - "https://www.bleepingcomputer.com/news/security/noobcrypt-ransomware-dev-shows-noobness-by-using-same-password-for-everyone/" - ] - } - }, - { - "value": "Nuke", - "description": "Ransomware", - "meta": { - "extensions": [ - ".nuclear55" - ], - "encryption": "AES", - "ransomnotes": [ - "!!_RECOVERY_instructions_!!.html", - "!!_RECOVERY_instructions_!!.txt" - ] - } - }, - { - "value": "Nullbyte", - "description": "Ransomware", - "meta": { - "extensions": [ - "_nullbyte" - ], - "refs": [ - "https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip", - "https://www.bleepingcomputer.com/news/security/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/" - ] - } - }, - { - "value": "ODCODC", - "description": "Ransomware", - "meta": { - "extensions": [ - ".odcodc", - "C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc" - ], - "encryption": "XOR", - "ransomnotes": [ - "HOW_TO_RESTORE_FILES.txt" - ], - "refs": [ - "http://download.bleepingcomputer.com/BloodDolly/ODCODCDecoder.zip", - "http://www.nyxbone.com/malware/odcodc.html", - "https://twitter.com/PolarToffee/status/813762510302183424", - "http://www.nyxbone.com/images/articulos/malware/odcodc/1c.png" - ] - } - }, - { - "value": "Offline ransomware", - "description": "Ransomware email addresses overlap with .777 addresses", - "meta": { - "synonyms": [ - "Vipasana", - "Cryakl" - ], - "extensions": [ - ".cbf", - "email-[params].cbf" - ], - "ransomnotes": [ - "desk.bmp", - "desk.jpg" - ], - "refs": [ - "https://support.kaspersky.com/viruses/disinfection/8547", - "http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html" - ] - } - }, - { - "value": "OMG! Ransomware", - "description": "Ransomware", - "meta": { - "synonyms": [ - "GPCode" - ], - "extensions": [ - ".LOL!", - ".OMG!" - ], - "ransomnotes": [ - "how to get data.txt" - ] - } - }, - { - "value": "Operation Global III", - "description": "Ransomware Is a file infector (virus)", - "meta": { - "extensions": [ - ".EXE" - ], - "refs": [ - "http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/" - ] - } - }, - { - "value": "Owl", - "description": "Ransomware", - "meta": { - "synonyms": [ - "CryptoWire" - ], - "extensions": [ - "dummy_file.encrypted", - "dummy_file.encrypted.[extension]" - ], - "ransomnotes": [ - "log.txt" - ], - "refs": [ - "https://twitter.com/JakubKroustek/status/842342996775448576" - ] - } - }, - { - "value": "PadCrypt", - "description": "Ransomware has a live support chat", - "meta": { - "extensions": [ - ".padcrypt" - ], - "ransomnotes": [ - "IMPORTANT READ ME.txt", - "File Decrypt Help.html" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", - "https://twitter.com/malwrhunterteam/status/798141978810732544" - ] - } - }, - { - "value": "Padlock Screenlocker", - "description": "Ransomware Unlock code is: ajVr/G\\ RJz0R", - "meta": { - "refs": [ - "https://twitter.com/BleepinComputer/status/811635075158839296" - ] - } - }, - { - "value": "Patcher", - "description": "Ransomware Targeting macOS users", - "meta": { - "extensions": [ - ".crypt" - ], - "ransomnotes": [ - "README!.txt" - ], - "refs": [ - "https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/", - "https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/" - ] - } - }, - { - "value": "Petya", - "description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe", - "meta": { - "synonyms": [ - "Goldeneye" - ], - "encryption": "Modified Salsa20", - "ransomnotes": [ - "YOUR_FILES_ARE_ENCRYPTED.TXT" - ], - "refs": [ - "http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generator", - "https://www.youtube.com/watch?v=mSqxFjZq_z4", - "https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/", - "https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/" - ] - } - }, - { - "value": "Philadelphia", - "description": "Ransomware Coded by \"The_Rainmaker\"", - "meta": { - "extensions": [ - ".locked", - ".locked" - ], - "encryption": "AES-256", - "refs": [ - "https://decrypter.emsisoft.com/philadelphia", - "www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/" - ] - } - }, - { - "value": "PizzaCrypts", - "description": "Ransomware", - "meta": { - "extensions": [ - ".id-[victim_id]-maestro@pizzacrypts.info" - ], - "refs": [ - "http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip" - ] - } - }, - { - "value": "PokemonGO", - "description": "Ransomware Based on Hidden Tear", - "meta": { - "extensions": [ - ".locked" - ], - "encryption": "AES-256", - "refs": [ - "http://www.nyxbone.com/malware/pokemonGO.html", - "http://www.bleepingcomputer.com/news/security/pokemongo-ransomware-installs-backdoor-accounts-and-spreads-to-other-drives/" - ] - } - }, - { - "value": "Polyglot", - "description": "Ransomware Immitates CTB-Locker", - "meta": { - "encryption": "AES-256", - "refs": [ - "https://support.kaspersky.com/8547", - "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" - ] - } - }, - { - "value": "PowerWare", - "description": "Ransomware Open-sourced PowerShell", - "meta": { - "synonyms": [ - "PoshCoder" - ], - "extensions": [ - ".locky" - ], - "encryption": "AES-128", - "refs": [ - "https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decrypt.py", - "https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip", - "https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/", - "http://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/" - ] - } - }, - { - "value": "PowerWorm", - "description": "Ransomware no decryption possible, throws key away, destroys the files", - "meta": { - "encryption": "AES", - "ransomnotes": [ - "DECRYPT_INSTRUCTION.html" - ] - } - }, - { - "value": "Princess Locker", - "description": "Ransomware", - "meta": { - "extensions": [ - "[a-z]{4,6},[0-9]" - ], - "ransomnotes": [ - "!_HOW_TO_RESTORE_[extension].TXT", - "!_HOW_TO_RESTORE_[extension].html", - "!_HOW_TO_RESTORE_*id*.txt", - ".*id*", - "@_USE_TO_FIX_JJnY.txt" - ], - "refs": [ - "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/", - "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/" - ] - } - }, - { - "value": "PRISM", - "description": "Ransomware", - "meta": { - "refs": [ - "http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/" - ] - } - }, - { - "value": "Ps2exe", - "description": "Ransomware", - "meta": { - "refs": [ - "https://twitter.com/jiriatvirlab/status/803297700175286273" - ] - } - }, - { - "value": "R", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "Ransomware.txt" - ], - "refs": [ - "https://twitter.com/malwrhunterteam/status/846705481741733892" - ] - } - }, - { - "value": "R980", - "description": "Ransomware", - "meta": { - "extensions": [ - ".crypt" - ], - "ransomnotes": [ - "DECRYPTION INSTRUCTIONS.txt", - "rtext.txt" - ], - "refs": [ - "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" - ] - } - }, - { - "value": "RAA encryptor", - "description": "Ransomware Possible affiliation with Pony", - "meta": { - "synonyms": [ - "RAA" - ], - "extensions": [ - ".locked" - ], - "ransomnotes": [ - "!!!README!!![id].rtf" - ], - "refs": [ - "https://reaqta.com/2016/06/raa-ransomware-delivering-pony/", - "http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/" - ] - } - }, - { - "value": "Rabion", - "description": "Ransomware RaaS Copy of Ranion RaaS", - "meta": { - "refs": [ - "https://twitter.com/CryptoInsane/status/846181140025282561" - ] - } - }, - { - "value": "Radamant", - "description": "Ransomware", - "meta": { - "extensions": [ - ".RDM", - ".RRK", - ".RAD", - ".RADAMANT" - ], - "encryption": "AES-256", - "ransomnotes": [ - "YOUR_FILES.url" - ], - "refs": [ - "https://decrypter.emsisoft.com/radamant", - "http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension-to-encrypted-files/", - "http://www.nyxbone.com/malware/radamant.html" - ] - } - }, - { - "value": "Rakhni", - "description": "Ransomware Files might be partially encrypted", - "meta": { - "synonyms": [ - "Agent.iih", - "Aura", - "Autoit", - "Pletor", - "Rotor", - "Lamer", - "Isda", - "Cryptokluchen", - "Bandarchor" - ], - "extensions": [ - ".locked", - ".kraken", - ".darkness", - ".nochance", - ".oshit", - ".oplata@qq_com", - ".relock@qq_com", - ".crypto", - ".helpdecrypt@ukr.net", - ".pizda@qq_com", - ".dyatel@qq_com", - "_ryp", - ".nalog@qq_com", - ".chifrator@qq_com", - ".gruzin@qq_com", - ".troyancoder@qq_com", - ".encrypted", - ".cry", - ".AES256", - ".enc", - ".hb15", - ".coderksu@gmail_com_id[0-9]{2,3}", - ".crypt@india.com.[\\w]{4,12}" - ], - "ransomnotes": [ - "\\fud.bmp", - "\\paycrypt.bmp", - "\\strongcrypt.bmp", - "\\maxcrypt.bmp", - "%APPDATA%\\Roaming\\.bmp" - ], - "refs": [ - "https://support.kaspersky.com/us/viruses/disinfection/10556" - ] - } - }, - { - "value": "Ramsomeer", - "description": "Ransomware Based on the DUMB ransomware" - }, - { - "value": "Rannoh", - "description": "Ransomware", - "meta": { - "extensions": [ - "locked-.[a-zA-Z]{4}" - ], - "refs": [ - "https://support.kaspersky.com/viruses/disinfection/8547" - ] - } - }, - { - "value": "RanRan", - "description": "Ransomware", - "meta": { - "extensions": [ - ".zXz" - ], - "ransomnotes": [ - "VictemKey_0_5", - "VictemKey_5_30", - "VictemKey_30_100", - "VictemKey_100_300", - "VictemKey_300_700", - "VictemKey_700_2000", - "VictemKey_2000_3000", - "VictemKey_3000", - "zXz.html" - ], - "refs": [ - "https://github.com/pan-unit42/public_tools/tree/master/ranran_decryption", - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/", - "https://www.bleepingcomputer.com/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/" - ] - } - }, - { - "value": "Ransoc", - "description": "Ransomware Doesn't encrypt user files", - "meta": { - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles", - "https://www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/" - ] - } - }, - { - "value": "Ransom32", - "description": "Ransomware no extension change, Javascript Ransomware" - }, - { - "value": "RansomLock", - "description": "Ransomware Locks the desktop", - "meta": { - "encryption": "Asymmetric 1024 ", - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2" - ] - } - }, - { - "value": "RarVault", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "RarVault.htm" - ] - } - }, - { - "value": "Razy", - "description": "Ransomware", - "meta": { - "extensions": [ - ".razy", - ".fear" - ], - "encryption": "AES-128", - "refs": [ - "http://www.nyxbone.com/malware/Razy(German).html", - "http://nyxbone.com/malware/Razy.html" - ] - } - }, - { - "value": "Rector", - "description": "Ransomware", - "meta": { - "extensions": [ - ".vscrypt", - ".infected", - ".bloc", - ".korrektor" - ], - "refs": [ - "https://support.kaspersky.com/viruses/disinfection/4264" - ] - } - }, - { - "value": "RektLocker", - "description": "Ransomware", - "meta": { - "extensions": [ - ".rekt" - ], - "encryption": "AES-256", - "ransomnotes": [ - "Readme.txt" - ], - "refs": [ - "https://support.kaspersky.com/viruses/disinfection/4264" - ] - } - }, - { - "value": "RemindMe", - "description": "Ransomware", - "meta": { - "extensions": [ - ".remind", - ".crashed" - ], - "ransomnotes": [ - "decypt_your_files.html " - ], - "refs": [ - "http://www.nyxbone.com/malware/RemindMe.html", - "http://i.imgur.com/gV6i5SN.jpg" - ] - } - }, - { - "value": "Rokku", - "description": "Ransomware possibly related with Chimera", - "meta": { - "extensions": [ - ".rokku" - ], - "encryption": "Curve25519 + ChaCha", - "ransomnotes": [ - "README_HOW_TO_UNLOCK.TXT", - "README_HOW_TO_UNLOCK.HTML" - ], - "refs": [ - "https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/" - ] - } - }, - { - "value": "RoshaLock", - "description": "Ransomware Stores your files in a password protected RAR file", - "meta": { - "refs": [ - "https://twitter.com/siri_urz/status/842452104279134209" - ] - } - }, - { - "value": "Runsomewere", - "description": "Ransomware Based on HT/EDA2 Utilizes the Jigsaw Ransomware background", - "meta": { - "refs": [ - "https://twitter.com/struppigel/status/801812325657440256" - ] - } - }, - { - "value": "RussianRoulette", - "description": "Ransomware Variant of the Philadelphia ransomware", - "meta": { - "refs": [ - "https://twitter.com/struppigel/status/823925410392080385" - ] - } - }, - { - "value": "SADStory", - "description": "Ransomware Variant of CryPy", - "meta": { - "refs": [ - "https://twitter.com/malwrhunterteam/status/845356853039190016" - ] - } - }, - { - "value": "Sage 2.2", - "description": "Ransomware Sage 2.2 deletes volume snapshots through vssadmin.exe, disables startup repair, uses process wscript.exe to execute a VBScript, and coordinates the execution of scheduled tasks via schtasks.exe.", - "meta": { - "extensions": [ - ".sage" - ], - "refs": [ - "https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate", - "https://malwarebreakdown.com/2017/03/10/finding-a-good-man/" - ] - } - }, - { - "value": "Samas-Samsam", - "description": "Ransomware Targeted attacks -Jexboss -PSExec -Hyena", - "meta": { - "synonyms": [ - "samsam.exe", - "MIKOPONI.exe", - "RikiRafael.exe", - "showmehowto.exe" - ], - "extensions": [ - ".encryptedAES", - ".encryptedRSA", - ".encedRSA", - ".justbtcwillhelpyou", - ".btcbtcbtc", - ".btc-help-you", - ".only-we_can-help_you", - ".iwanthelpuuu", - ".notfoundrans", - ".encmywork", - ".VforVendetta", - ".theworldisyours", - ".Whereisyourfiles", - ".helpmeencedfiles", - ".powerfulldecrypt", - ".noproblemwedecfiles", - ".weareyourfriends", - ".otherinformation", - ".letmetrydecfiles", - ".encryptedyourfiles", - ".weencedufiles", - ".iaufkakfhsaraf", - ".cifgksaffsfyghd" - ], - "encryption": "AES(256) + RSA(2096)", - "ransomnotes": [ - "HELP_DECRYPT_YOUR_FILES.html", - "###-READ-FOR-HELLPP.html", - "000-PLEASE-READ-WE-HELP.html", - "CHECK-IT-HELP-FILES.html", - "WHERE-YOUR-FILES.html", - "HELP-ME-ENCED-FILES.html", - "WE-MUST-DEC-FILES.html", - "000-No-PROBLEM-WE-DEC-FILES.html", - "TRY-READ-ME-TO-DEC.html", - "000-IF-YOU-WANT-DEC-FILES.html", - "LET-ME-TRY-DEC-FILES.html", - "001-READ-FOR-DECRYPT-FILES.html", - "READ-READ-READ.html", - "IF_WANT_FILES_BACK_PLS_READ.html", - "READ_READ_DEC_FILES.html" - ], - "refs": [ - "https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip", - "http://blog.talosintel.com/2016/03/samsam-ransomware.html", - "http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf" - ] - } - }, - { - "value": "Sanction", - "description": "Ransomware Based on HiddenTear, but heavily modified keygen", - "meta": { - "extensions": [ - ".sanction" - ], - "encryption": "AES-256 + RSA-2096", - "ransomnotes": [ - "DECRYPT_YOUR_FILES.HTML" - ] - } - }, - { - "value": "Sanctions", - "description": "Ransomware", - "meta": { - "extensions": [ - ".wallet" - ], - "encryption": "AES-256 + RSA-2048", - "ransomnotes": [ - "RESTORE_ALL_DATA.html" - ], - "refs": [ - "https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/" - ] - } - }, - { - "value": "Sardoninir", - "description": "Ransomware", - "meta": { - "extensions": [ - ".enc" - ], - "refs": [ - "https://twitter.com/BleepinComputer/status/835955409953357825" - ] - } - }, - { - "value": "Satana", - "description": "Ransomware", - "meta": { - "extensions": [ - "Sarah_G@ausi.com___" - ], - "ransomnotes": [ - "!satana!.txt" - ], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/", - "https://blog.kaspersky.com/satana-ransomware/12558/" - ] - } - }, - { - "value": "Scraper", - "description": "Ransomware", - "meta": { - "refs": [ - "http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/" - ] - } - }, - { - "value": "Serpico", - "description": "Ransomware DetoxCrypto Variant", - "meta": { - "encryption": "AES", - "refs": [ - "http://www.nyxbone.com/malware/Serpico.html" - ] - } - }, - { - "value": "Shark", - "description": "Ransomware", - "meta": { - "synonyms": [ - "Atom" - ], - "extensions": [ - ".locked" - ], - "encryption": "AES-256", - "ransomnotes": [ - "Readme.txt" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/", - "http://www.bleepingcomputer.com/news/security/shark-ransomware-rebrands-as-atom-for-a-fresh-start/" - ] - } - }, - { - "value": "ShinoLocker", - "description": "Ransomware", - "meta": { - "extensions": [ - ".shino" - ], - "refs": [ - "https://twitter.com/JakubKroustek/status/760560147131408384", - "http://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/" - ] - } - }, - { - "value": "Shujin", - "description": "Ransomware", - "meta": { - "synonyms": [ - "KinCrypt" - ], - "ransomnotes": [ - "文件解密帮助.txt" - ], - "refs": [ - "http://www.nyxbone.com/malware/chineseRansom.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" - ] - } - }, - { - "value": "Simple_Encoder", - "description": "Ransomware", - "meta": { - "extensions": [ - ".~" - ], - "encryption": "AES", - "ransomnotes": [ - "_RECOVER_INSTRUCTIONS.ini" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/" - ] - } - }, - { - "value": "SkidLocker", - "description": "Ransomware Based on EDA2", - "meta": { - "synonyms": [ - "Pompous" - ], - "extensions": [ - ".locked" - ], - "encryption": "AES-256", - "ransomnotes": [ - "READ_IT.txt" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/", - "http://www.nyxbone.com/malware/SkidLocker.html" - ] - } - }, - { - "value": "Smash!", - "description": "Ransomware", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/" - ] - } - }, - { - "value": "Smrss32", - "description": "Ransomware", - "meta": { - "extensions": [ - ".encrypted" - ], - "ransomnotes": [ - "_HOW_TO_Decrypt.bmp" - ] - } - }, - { - "value": "SNSLocker", - "description": "Ransomware Based on EDA2", - "meta": { - "extensions": [ - ".RSNSlocked", - ".RSplited" - ], - "encryption": "AES-256", - "ransomnotes": [ - "READ_Me.txt" - ], - "refs": [ - "http://nyxbone.com/malware/SNSLocker.html", - "http://nyxbone.com/images/articulos/malware/snslocker/16.png" - ] - } - }, - { - "value": "Sport", - "description": "Ransomware", - "meta": { - "extensions": [ - ".sport" - ] - } - }, - { - "value": "Stampado", - "description": "Ransomware Coded by \"The_Rainmaker\" Randomly deletes a file every 6hrs up to 96hrs then deletes decryption key", - "meta": { - "extensions": [ - ".locked" - ], - "encryption": "AES-256", - "ransomnotes": [ - "Random message includes bitcoin wallet address with instructions" - ], - "refs": [ - "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221", - "http://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/", - "https://decrypter.emsisoft.com/stampado", - "https://cdn.streamable.com/video/mp4/kfh3.mp4", - "http://blog.trendmicro.com/trendlabs-security-intelligence/the-economics-behind-ransomware-prices/" - ] - } - }, - { - "value": "Strictor", - "description": "Ransomware Based on EDA2, shows Guy Fawkes mask", - "meta": { - "extensions": [ - ".locked" - ], - "encryption": "AES-256", - "refs": [ - "http://www.nyxbone.com/malware/Strictor.html" - ] - } - }, - { - "value": "Surprise", - "description": "Ransomware Based on EDA2", - "meta": { - "extensions": [ - ".surprise", - ".tzu" - ], - "encryption": "AES-256", - "ransomnotes": [ - "DECRYPTION_HOWTO.Notepad" - ] - } - }, - { - "value": "Survey", - "description": "Ransomware Still in development, shows FileIce survey", - "meta": { - "ransomnotes": [ - "ThxForYurTyme.txt" - ], - "refs": [ - "http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" - ] - } - }, - { - "value": "SynoLocker", - "description": "Ransomware Exploited Synology NAS firmware directly over WAN" - }, - { - "value": "SZFLocker", - "description": "Ransomware", - "meta": { - "extensions": [ - ".szf" - ], - "refs": [ - "http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-retrieve-your-files/" - ] - } - }, - { - "value": "TeamXrat", - "description": "Ransomware", - "meta": { - "extensions": [ - ".___xratteamLucked" - ], - "encryption": "AES-256", - "ransomnotes": [ - "Como descriptografar os seus arquivos.txt" - ], - "refs": [ - "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" - ] - } - }, - { - "value": "TeslaCrypt 0.x - 2.2.0", - "description": "Ransomware Factorization", - "meta": { - "synonyms": [ - "AlphaCrypt" - ], - "extensions": [ - ".vvv", - ".ecc", - ".exx", - ".ezz", - ".abc", - ".aaa", - ".zzz", - ".xyz" - ], - "ransomnotes": [ - "HELP_TO_SAVE_FILES.txt", - "Howto_RESTORE_FILES.html" - ], - "refs": [ - "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", - "http://www.talosintel.com/teslacrypt_tool/" - ] - } - }, - { - "value": "TeslaCrypt 3.0+", - "description": "Ransomware 4.0+ has no extension", - "meta": { - "extensions": [ - ".micro", - ".xxx", - ".ttt", - ".mp3" - ], - "encryption": "AES-256 + ECHD + SHA1", - "refs": [ - "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", - "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", - "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/" - ] - } - }, - { - "value": "TeslaCrypt 4.1A", - "description": "Ransomware", - "meta": { - "encryption": "AES-256 + ECHD + SHA1", - "ransomnotes": [ - "RECOVER<5_chars>.html", - "RECOVER<5_chars>.png", - "RECOVER<5_chars>.txt", - "_how_recover+.txt", - "_how_recover+.html", - "help_recover_instructions+.html", - "help_recover_instructions+.txt", - "help_recover_instructions+.BMP", - "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt", - "_H_e_l_p_RECOVER_INSTRUCTIONS+.html", - "_H_e_l_p_RECOVER_INSTRUCTIONS+.png", - "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", - "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", - "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", - "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", - "HELP_TO_SAVE_FILES.txt", - "HELP_TO_SAVE_FILES.bmp" - ], - "refs": [ - "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", - "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", - "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", - "https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain" - ] - } - }, - { - "value": "TeslaCrypt 4.2", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "RECOVER<5_chars>.html", - "RECOVER<5_chars>.png", - "RECOVER<5_chars>.txt", - "_how_recover+.txt", - "_how_recover+.html", - "help_recover_instructions+.BMP", - "help_recover_instructions+.html", - "help_recover_instructions+.txt", - "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt", - "_H_e_l_p_RECOVER_INSTRUCTIONS+.html", - "_H_e_l_p_RECOVER_INSTRUCTIONS+.png", - "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", - "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", - "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", - "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", - "HELP_TO_SAVE_FILES.txt", - "HELP_TO_SAVE_FILES.bmp" - ], - "refs": [ - "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", - "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", - "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", - "http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/" - ] - } - }, - { - "value": "Threat Finder", - "description": "Ransomware Files cannot be decrypted Has a GUI", - "meta": { - "ransomnotes": [ - "HELP_DECRYPT.HTML" - ] - } - }, - { - "value": "TorrentLocker", - "description": "Ransomware Newer variants not decryptable. Only first 2 MB are encrypted", - "meta": { - "synonyms": [ - "Crypt0L0cker", - "CryptoFortress", - "Teerac" - ], - "extensions": [ - ".Encrypted", - ".enc" - ], - "encryption": "AES-256 CBC for files + RSA-1024 for AES key uses LibTomCrypt", - "ransomnotes": [ - "HOW_TO_RESTORE_FILES.html", - "DECRYPT_INSTRUCTIONS.html", - "DESIFROVANI_POKYNY.html", - "INSTRUCCIONES_DESCIFRADO.html", - "ISTRUZIONI_DECRITTAZIONE.html", - "ENTSCHLUSSELN_HINWEISE.html", - "ONTSLEUTELINGS_INSTRUCTIES.html", - "INSTRUCTIONS_DE_DECRYPTAGE.html", - "SIFRE_COZME_TALIMATI.html", - "wie_zum_Wiederherstellen_von_Dateien.txt" - ], - "refs": [ - "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/", - "https://twitter.com/PolarToffee/status/804008236600934403", - "http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html" - ] - } - }, - { - "value": "TowerWeb", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "Payment_Instructions.jpg" - ], - "refs": [ - "http://www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/" - ] - } - }, - { - "value": "Toxcrypt", - "description": "Ransomware", - "meta": { - "extensions": [ - ".toxcrypt" - ], - "ransomnotes": [ - "tox.html" - ] - } - }, - { - "value": "Trojan", - "description": "Ransomware", - "meta": { - "synonyms": [ - "BrainCrypt" - ], - "extensions": [ - ".braincrypt" - ], - "ransomnotes": [ - "!!! HOW TO DECRYPT FILES !!!.txt" - ], - "refs": [ - "https://download.bleepingcomputer.com/demonslay335/BrainCryptDecrypter.zip", - "https://twitter.com/PolarToffee/status/811249250285842432" - ] - } - }, - { - "value": "Troldesh orShade, XTBL", - "description": "Ransomware May download additional malware after encryption", - "meta": { - "extensions": [ - ".breaking_bad", - ".better_call_saul", - ".xtbl", - ".da_vinci_code", - ".windows10", - ".no_more_ransom" - ], - "encryption": "AES-256", - "ransomnotes": [ - "README.txt", - "nomoreransom_note_original.txt" - ], - "refs": [ - "https://www.nomoreransom.org/uploads/ShadeDecryptor_how-to_guide.pdf", - "http://www.nyxbone.com/malware/Troldesh.html", - "https://www.bleepingcomputer.com/news/security/kelihos-botnet-delivering-shade-troldesh-ransomware-with-no-more-ransom-extension/" - ] - } - }, - { - "value": "TrueCrypter", - "description": "Ransomware", - "meta": { - "extensions": [ - ".enc" - ], - "encryption": "AES-256", - "refs": [ - "http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/" - ] - } - }, - { - "value": "Turkish", - "description": "Ransomware", - "meta": { - "extensions": [ - ".sifreli" - ], - "refs": [ - "https://twitter.com/struppigel/status/821991600637313024" - ] - } - }, - { - "value": "Turkish Ransom", - "description": "Ransomware", - "meta": { - "extensions": [ - ".locked" - ], - "encryption": "AES-256", - "ransomnotes": [ - "DOSYALARINIZA ULAŞMAK İÇİN AÇINIZ.html" - ], - "refs": [ - "http://www.nyxbone.com/malware/turkishRansom.html" - ] - } - }, - { - "value": "UmbreCrypt", - "description": "Ransomware CrypBoss Family", - "meta": { - "extensions": [ - "umbrecrypt_ID_[VICTIMID]" - ], - "encryption": "AES", - "ransomnotes": [ - "README_DECRYPT_UMBRE_ID_[victim_id].jpg", - "README_DECRYPT_UMBRE_ID_[victim_id].txt", - "default32643264.bmp", - "default432643264.jpg" - ], - "refs": [ - "http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware" - ] - } - }, - { - "value": "UnblockUPC", - "description": "Ransomware", - "meta": { - "ransomnotes": [ - "Files encrypted.txt" - ], - "refs": [ - "https://www.bleepingcomputer.com/forums/t/627582/unblockupc-ransomware-help-support-topic-files-encryptedtxt/" - ] - } - }, - { - "value": "Ungluk", - "description": "Ransomware Ransom note instructs to use Bitmessage to get in contact with attacker - Secretishere.key - SECRETISHIDINGHEREINSIDE.KEY - secret.key", - "meta": { - "extensions": [ - ".H3LL", - ".0x0", - ".1999" - ], - "encryption": "AES", - "ransomnotes": [ - "READTHISNOW!!!.txt", - "Hellothere.txt", - "YOUGOTHACKED.TXT" - ] - } - }, - { - "value": "Unlock92 ", - "description": "Ransomware", - "meta": { - "extensions": [ - ".CRRRT", - ".CCCRRRPPP" - ], - "ransomnotes": [ - "READ_ME_!.txt" - ], - "refs": [ - "https://twitter.com/malwrhunterteam/status/839038399944224768" - ] - } - }, - { - "value": "VapeLauncher", - "description": "Ransomware CryptoWire variant", - "meta": { - "refs": [ - "https://twitter.com/struppigel/status/839771195830648833" - ] - } - }, - { - "value": "VaultCrypt", - "description": "Ransomware", - "meta": { - "synonyms": [ - "CrypVault", - "Zlader" - ], - "extensions": [ - ".vault", - ".xort", - ".trun" - ], - "encryption": "uses gpg.exe", - "ransomnotes": [ - "VAULT.txt", - "xort.txt", - "trun.txt", - ".hta | VAULT.hta" - ], - "refs": [ - "http://www.nyxbone.com/malware/russianRansom.html" - ] - } - }, - { - "value": "VBRANSOM 7", - "description": "Ransomware", - "meta": { - "extensions": [ - ".VBRANSOM" - ], - "refs": [ - "https://twitter.com/BleepinComputer/status/817851339078336513" - ] - } - }, - { - "value": "VenusLocker", - "description": "Ransomware Based on EDA2", - "meta": { - "extensions": [ - ".Venusf", - ".Venusp" - ], - "encryption": "AES-256", - "ransomnotes": [ - "ReadMe.txt" - ], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/08/venus-locker-another-net-ransomware/?utm_source=twitter&utm_medium=social", - "http://www.nyxbone.com/malware/venusLocker.html" - ] - } - }, - { - "value": "Virlock", - "description": "Ransomware Polymorphism / Self-replication", - "meta": { - "extensions": [ - ".exe" - ], - "refs": [ - "http://www.nyxbone.com/malware/Virlock.html", - "http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/" - ] - } - }, - { - "value": "Virus-Encoder", - "description": "Ransomware", - "meta": { - "synonyms": [ - "CrySiS" - ], - "extensions": [ - ".CrySiS", - ".xtbl", - ".crypt", - ".DHARMA", - ".id-########.decryptformoney@india.com.xtbl", - ".[email_address].DHARMA" - ], - "encryption": "AES-256", - "ransomnotes": [ - "How to decrypt your data.txt" - ], - "refs": [ - "http://www.welivesecurity.com/2016/11/24/new-decryption-tool-crysis-ransomware/", - "http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip", - "http://www.nyxbone.com/malware/virus-encoder.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/crysis-targeting-businesses-in-australia-new-zealand-via-brute-forced-rdps/" - ] - } - }, - { - "value": "WildFire Locker", - "description": "Ransomware Zyklon variant", - "meta": { - "synonyms": [ - "Hades Locker" - ], - "extensions": [ - ".wflx" - ], - "ransomnotes": [ - "HOW_TO_UNLOCK_FILES_README_().txt" - ], - "refs": [ - "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" - ] - } - }, - { - "value": "Xorist", - "description": "Ransomware encrypted files will still have the original non-encrypted header of 0x33 bytes length", - "meta": { - "extensions": [ - ".EnCiPhErEd", - ".73i87A", - ".p5tkjw", - ".PoAr2w", - ".fileiscryptedhard", - ".encoderpass", - ".zc3791", - ".antihacker2017" - ], - "encryption": "XOR or TEA", - "ransomnotes": [ - "HOW TO DECRYPT FILES.TXT" - ], - "refs": [ - "https://support.kaspersky.com/viruses/disinfection/2911", - "https://decrypter.emsisoft.com/xorist" - ] - } - }, - { - "value": "XRTN ", - "description": "Ransomware VaultCrypt family", - "meta": { - "extensions": [ - ".xrtn" - ] - } - }, - { - "value": "You Have Been Hacked!!!", - "description": "Ransomware Attempt to steal passwords", - "meta": { - "extensions": [ - ".Locked" - ], - "refs": [ - "https://twitter.com/malwrhunterteam/status/808280549802418181" - ] - } - }, - { - "value": "Zcrypt", - "description": "Ransomware", - "meta": { - "synonyms": [ - "Zcryptor" - ], - "extensions": [ - ".zcrypt" - ], - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/" - ] - } - }, - { - "value": "Zimbra", - "description": "Ransomware mpritsken@priest.com", - "meta": { - "extensions": [ - ".crypto" - ], - "ransomnotes": [ - "how.txt" - ], - "refs": [ - "http://www.bleepingcomputer.com/forums/t/617874/zimbra-ransomware-written-in-python-help-and-support-topic-crypto-howtotxt/" - ] - } - }, - { - "value": "Zlader", - "description": "Ransomware VaultCrypt family", - "meta": { - "synonyms": [ - "Russian", - "VaultCrypt", - "CrypVault" - ], - "extensions": [ - ".vault" - ], - "encryption": "RSA", - "refs": [ - "http://www.nyxbone.com/malware/russianRansom.html" - ] - } - }, - { - "value": "Zorro", - "description": "Ransomware", - "meta": { - "extensions": [ - ".zorro" - ], - "ransomnotes": [ - "Take_Seriously (Your saving grace).txt" - ], - "refs": [ - "https://twitter.com/BleepinComputer/status/844538370323812353" - ] - } - }, - { - "value": "Zyklon", - "description": "Ransomware Hidden Tear family, GNL Locker variant", - "meta": { - "synonyms": [ - "GNL Locker" - ], - "extensions": [ - ".zyklon" - ] - } - }, - { - "value": "vxLock", - "description": "Ransomware", - "meta": { - "extensions": [ - ".vxLock" - ] - } - }, - { - "value": "Jaff", - "description": "We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed \"Jaff\". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.", - "meta": { - "extensions": [ - ".jaff" - ], - "encryption": "AES", - "ransomnotes": [ - "WallpapeR.bmp", - "ReadMe.bmp", - "ReadMe.html", - "ReadMe.txt" - ], - "refs": [ - "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html", - "https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/" - ] - } - }, - { - "value": "Uiwix Ransomware", - "description": "Using EternalBlue SMB Exploit To Infect Victims", - "meta": { - "extensions": [ - "._[10_digit_victim_id].UIWIX" - ], - "encryption": "may be a mixture of AES and RC4.", - "ransomnotes": [ - "DECODE_FILES.txt" - ], - "refs": [ - "https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/" - ] - } - }, - { - "value": "SOREBRECT", - "description": "Fileless, Code-injecting Ransomware", - "meta": { - "extensions": [ - ".pr0tect" - ], - "ransomnotes": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/06/SOREBRECT-3.jpg" - ], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/" - ] - } - }, - { - "value": "Cyron", - "description": "claims it detected \"Children Pornsites\" in your browser history", - "meta": { - "extensions": [ - ".CYRON" - ], - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvA8CDWAAIR5er.jpg" - ], - "refs": [ - "https://twitter.com/struppigel/status/899524853426008064" - ] - } - }, - { - "value": "Kappa", - "description": "Made with OXAR builder; decryptable", - "meta": { - "extensions": [ - ".OXR" - ], - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvDae7XoAE9usO[1].jpg" - ], - "refs": [ - "https://twitter.com/struppigel/status/899528477824700416" - ] - } - }, - { - "value": "Trojan Dz", - "description": "CyberSplitter variant", - "meta": { - "extensions": [ - ".Isis" - ], - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvM552WsAAuDbi[1].jpg" - ], - "refs": [ - "https://twitter.com/struppigel/status/899537940539478016" - ] - } - }, - { - "value": "Xolzsec", - "description": "ransomware written by self proclaimed script kiddies that should really be considered trollware", - "meta": { - "extensions": [ - ".xolzsec" - ], - "refs": [ - "https://twitter.com/struppigel/status/899916577252028416" - ] - } - }, - { - "value": "FlatChestWare", - "description": "HiddenTear variant; decryptable", - "meta": { - "extensions": [ - ".flat" - ], - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DH5KChhXsAADOIu[1].jpg" - ], - "refs": [ - "https://twitter.com/struppigel/status/900238572409823232" - ] - } - }, - { - "value": "SynAck", - "description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/" - ], - "synonyms": [ - "Syn Ack" - ], - "ransomnotes": [ - "RESTORE_INFO-[id].txt" - ] - } - }, - { - "value": "SyncCrypt", - "description": "A new ransomware called SyncCrypt was discovered by Emsisoft security researcher xXToffeeXx that is being distributed by spam attachments containing WSF files. When installed these attachments will encrypt a computer and append the .kk extension to encrypted files.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/" - ], - "extension": [ - ".kk" - ], - "ransomnotes": [ - "readme.html", - "readme.png" - ] - } - }, - { - "value": "Bad Rabbit", - "description": "On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.", - "meta": { - "refs": [ - "http://blog.talosintelligence.com/2017/10/bad-rabbit.html" - ], - "synonyms": [ - "BadRabbit", - "Bad-Rabbit" - ] - } - }, - { - "value": "Halloware", - "description": "A malware author by the name of Luc1F3R is peddling a new ransomware strain called Halloware for the lowly price of $40. Based on evidence gathered by Bleeping Computer, Luc1F3R started selling his ransomware this week, beginning Thursday.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/halloware-ransomware-on-sale-on-the-dark-web-for-only-40/" - ], - "extensions": [ - "(Lucifer) [prepend]" - ] - } - }, - { - "value": "StorageCrypt", - "description": "Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud. Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins to get their files back. User's have also reported that each share on their NAS device contains a Autorun.inf file and a Windows executable named 美女与野兽.exe, which translates to Beauty and the beast. From the samples BleepingComputer has received, this Autorun.inf is an attempt to spread the 美女与野兽.exe file to other computers that open the folders on the NAS devices.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/" - ], - "extensions": [ - ".locked" - ], - "ransomnotes": [ - "_READ_ME_FOR_DECRYPT.txt", - "Warning\n\nYour documents, photos,databases,important files have been encrypted by RSA-4096 and AES-256!\nIf you modify any file, it may cause make you cannot decrypt!!!\n\nDon't waste your precious time to try decrypt the files.\nIf there is no key that we provide to you , NO ONE can decrypt your precious files, even Jesus.\n\nHow to decrypt your files ?\n\nYou have to pay for decryption in bitcoin\nTo decrypt your files,please following the steps below\n\n1,Pay 2.0 bitcoin to this address: [bitcoin_address]\n\nPay To : [bitcoin_address]\nAmount : 2.0\n\n2,After you have finished paying,Contact us and Send us your Decrypt-ID via email\n\n3,Once we have confimed your deal,You can use the tool we sent to you to decrypt all your files.\n\nHow to obtain bitcoin ?\n\nThe easiest way to buy bitcoin is LocalBitcoins site.\nYou have to register, click Buy bitcoins and select the seller\nby payment method and price\n\nhttps://localbitcoins.com/buy_bitcoins\n\nhttps://paxful.com/buy-bitcoin\n\nhttp://bitcointalk.org/\n\n If you have any questions please do not hesitate to contact us\n\nContact Email:JeanRenoAParis@protonmail.com\n\nDecrypt-ID:" - ] - } - }, - { - "value": "HC7", - "description": "A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network.\nOriginally released as HC6, victims began posting about it in the BleepingComputer forums towards the end of November. As this is a Python-to-exe executable, once the script was extracted ID Ransomware creator Michael Gillespie was able determine that it was decryptable and released a decryptor.\nUnfortunately, a few days later, the ransomware developers released a new version called HC7 that was not decryptable. Thi sis because they removed the hard coded encryption key and instead switched to inputting the key as a command line argument when the attackers run the ransomware executable. Thankfully, there may be a way to get around that as well so that victims can recover their keys.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/" - ], - "extensions": [ - ".GOTYA" - ], - "ransomnotes": [ - "RECOVERY.txt", - "ALL YOUR FILES WERE ENCRYPTED.\nTO RESTORE THIS FILE, YOU MUST SEND $700 BTC for MASCHINE\nOR $5,000 BTC FOR ALL NETWORK\nADDRESS: 15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP\nAFTER PAYMENT SENT EMAIL m4zn0v@keemail.me\nALONG WITH YOUR IDENTITY: VVNFUi1QQzA5\nNOT TO TURN OFF YOUR COMPUTER, UNLESS IT WILL BREAK" - ] - } - }, - { - "value": "HC6", - "description": "Predecessor of HC7", - "meta": { - "refs": [ - "https://twitter.com/demonslay335/status/935622942737817601?ref_src=twsrc%5Etfw", - "https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/" - ], - "extensions": [ - ".fucku" - ] - } - }, - { - "value": "qkG", - "description": "Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/qkg-ransomware-encrypts-only-word-documents-hides-and-spreads-via-macros/" - ] - } - }, - { - "value": "Scarab", - "description": "The Scarab ransomware is a relatively new ransomware strain that was first spotted by security researcher Michael Gillespie in June this year.\nWritten in Delphi, the first version was simplistic and was recognizable via the \".scarab\" extension it appended after the names of encrypted files.\nMalwarebytes researcher Marcelo Rivera spotted a second version in July that used the \".scorpio\" extension. The version spotted with the Necurs spam today has reverted back to using the .scarab extension.\nThe current version of Scarab encrypts files but does not change original file names as previous versions. This Scarab version appends each file's name with the \".[suupport@protonmail.com].scarab\" extension.\nScarab also deletes shadow volume copies and drops a ransom note named \"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT\" on users' computers, which it opens immediately.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/", - "https://labsblog.f-secure.com/2017/11/23/necurs-business-is-booming-in-a-new-partnership-with-scarab-ransomware/", - "https://blogs.forcepoint.com/security-labs/massive-email-campaign-spreads-scarab-ransomware", - "https://twitter.com/malwrhunterteam/status/933643147766321152", - "https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/" - ], - "extensions": [ - ".scarab", - ".scorpio", - ".[suupport@protonmail.com].scarab" - ], - "ransomnotes": [ - "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" - ] - } - }, - { - "value": "File Spider", - "description": "A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.File Spider is currently being distributed through malspam that appears to be targeting countries such as Croatia, Bosnia and Herzegovina, and Serbia. The spam start with subjects like\"Potrazivanje dugovanja\", which translates to \"Debt Collection\" and whose message, according to Google Translate, appear to be in Serbian.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/file-spider-ransomware-targeting-the-balkans-with-malspam/" - ], - "extensions": [ - ".spider" - ], - "ransomnotes": [ - "HOW TO DECRYPT FILES.url", - "As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool.\n\nThe good news is that there is still a chance to recover your files, you just need to have the right key.\n\nTo obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!\n\nRemember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.\n\nTo avoid any misunderstanding, please read Help section." - ] - } - }, - { - "value": "FileCoder", - "description": "A barely functional piece of macOS ransomware, written in Swift.", - "meta": { - "date": "Febuary 2017", - "refs": [ - "https://objective-see.com/blog/blog_0x25.html#FileCoder" - ], - "synonyms": [ - "FindZip", - "Patcher" - ] - } - }, - { - "value": "MacRansom", - "description": "A basic piece of macOS ransomware, offered via a 'malware-as-a-service' model.", - "meta": { - "date": "June 2017", - "refs": [ - "https://objective-see.com/blog/blog_0x25.html" - ] - } - }, - { - "value": "GandCrab", - "description": "A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld. ", - "meta": { - "date": "January 2018", - "refs": [ - "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", - "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/" - ], - "ransomnotes": [ - "GDCB-DECRYPT.txt", - "---= GANDCRAB =---\n\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB \nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser:http://gdcbghvjyqy7jclk.onion/[id]\n5. Follow the instructions on this page\n\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\n\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!" - ] - } - }, - { - "value": "ShurL0ckr", - "description": "Security researchers uncovered a new ransomware named ShurL0ckr (detected by Trend Micro as RANSOM_GOSHIFR.B) that reportedly bypasses detection mechanisms of cloud platforms. Like Cerber and Satan, ShurL0ckr’s operators further monetize the ransomware by peddling it as a turnkey service to fellow cybercriminals, allowing them to earn additional income through a commission from each victim who pays the ransom.", - "meta": { - "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" - ], - "date": "Febuary 2018" - } - }, - { - "value": "Cryakl", - "description": "ransomware", - "meta": { - "refs": [ - "https://sensorstechforum.com/fr/fairytail-files-virus-cryakl-ransomware-remove-restore-data/", - "https://www.technologynews.tech/cryakl-ransomware-virus", - "http://www.zdnet.com/article/cryakl-ransomware-decryption-keys-now-available-for-free/" - ], - "date": "January 2018", - "extensions": [ - ".fairytail" - ] - } - }, - { - "value": "Thanatos", - "description": "first ransomware seen to ask for payment to be made in Bitcoin Cash (BCH)", - "meta": { - "refs": [ - "https://mobile.twitter.com/EclecticIQ/status/968478323889332226", - "https://www.eclecticiq.com/resources/thanatos--ransomware-first-ransomware-ask-payment-bitcoin-cash?type=intel-report" - ], - "extensions": [ - ".THANATOS" - ] - } - } - ], - "source": "Various", - "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", - "name": "Ransomware", - "version": 6, - "type": "ransomware", - "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar" -} + "authors": [ + "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", + "http://pastebin.com/raw/GHgpWjar" + ], + "values": [ + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/nhtnwcuf-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-OkiR6pVmYUw/WMFiLGPuJhI/AAAAAAAAEME/wccYzFDIzJYWKXVxaTQeB4vM-4X6h3atgCLcB/s1600/note-nhtnwcuf.gif" + ], + "encryption": "AES", + "extensions": [ + "RANDOM 3 LETTERS ARE ADDED" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Nhtnwcuf Ransomware (Fake)", + "uuid": "81b4e3ac-aa83-4616-9899-8e19ee3bb78b" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/cryptojacky-ransomware.html", + "https://twitter.com/jiriatvirlab/status/838779371750031360" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-pSmSehFx0bI/WL8Rp7RoMHI/AAAAAAAAEKw/eyfsAjikl9sDHlcjdyQeRxZsLto4hxvGwCLcB/s1600/note-1-2.png" + ], + "encryption": "AES", + "extensions": [ + "RANDOM 3 LETTERS ARE ADDED" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "CryptoJacky Ransomware", + "uuid": "a8187609-329a-4de0-bda7-7823314e7db9" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/kaenlupuf-ransomware.html" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-yTOgGw5v_vo/WMBUGHN7bnI/AAAAAAAAELY/8DDyxB4pSWgje_-iVbXgy2agNty1X6D6ACLcB/s1600/C6TUfkZWAAEewi_.jpg" + ], + "encryption": "AES-128", + "date": "March 2017" + }, + "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Kaenlupuf Ransomware", + "uuid": "b97f07c4-136a-488a-9fa0-35ab45fbfe36" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/enjey-crypter-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2017-spora-cerber-and-technical-writeups/", + "https://www.bleepingcomputer.com/news/security/embittered-enjey-ransomware-developer-launches-ddos-attack-on-id-ransomware/" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-rkOR4L9jDZc/WMG1uI6vqQI/AAAAAAAAEMk/SAu_FleTLHcagf_maS31xt3D_qnwAx2RQCLcB/s1600/note-enjey_2.png" + ], + "encryption": "AES-256", + "extensions": [ + "example:.encrypted.contact_here_me@india.com.enjey" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "EnjeyCrypter Ransomware", + "uuid": "e98e6b50-00fd-484e-a5c1-4b2363579447" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/dangerous-ransomware.html" + ], + "ransomnotes": [ + "DANGEROUS_RANSOM\nHacked.\nPlease contact\nhakermail@someting.com" + ], + "encryption": "AES-128", + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Dangerous Ransomware", + "uuid": "7dbdb949-a53b-4ebe-bc9a-7f49a7c5fd78" + }, + { + "meta": { + "synonyms": [ + "\u0166l\u0e4ft\u0454\u0433\u0e04 \u0433\u0e04\u0e20\u0e23\u0e4f\u0e53\u0e2c\u0e04\u0433\u0454" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/vortex-ransomware.html", + "https://twitter.com/struppigel/status/839778905091424260" + ], + "ransomnotes": [ + "Vortex Ransomware\nCan not find the files on the hard drive? The contents of the files do not open?This is the result of the work of the program, which encrypts a lot of your data with the help of a strong algorithm AES-256, used by power structures to mask the data transferred in electronic form.The only way to recover your files is to buy a decryption program from us, using a one-time key created for you!When you decide to restore your data, please contact us by e-mail: rsapl@openmailbox.org or poiskiransom@airmail.cc2 files will be decrypted in vain to prove that we can do it, for the others, unfortunately, have to pay!\nPrice for the decryption of all files: $ 199\nAttention! Do not waste your time,time is money, after 4 days the price will increase by 100%!\nIP = ID =" + ], + "extensions": [ + ".aes" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Vortex Ransomware", + "uuid": "04a5889d-b97d-4653-8a0f-d2df85f93430" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/gc47-ransomware.html" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-i4i0joM4qRk/WMO7sKLu4dI/AAAAAAAAENU/vLR4B1Xg39wduycHe2f0vEYSv_dtJ-gxwCLcB/s1600/note.jpg" + ], + "encryption": "AES-128", + "extensions": [ + ".fuck_you" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "GC47 Ransomware", + "uuid": "2069c483-4701-4a3b-bd51-3850c7aa59d2" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/rozalocker-ransomware.html", + "https://twitter.com/jiriatvirlab/status/840863070733885440" + ], + "ransomnotes": [ + "OUR FILES are encrypted (EVEN NOT LOOKING THAT THEY ARE PARTIALLY OPEN). WE HAVE YOUR LOGIN AND PASSWORD FROM THE ENTERTAINMENT, ONE-CLASSICS, ONLINE BANKS AND OTHERS.\nYOU HAVE 6 HOURS TO PAY FOR A PURCHASE FOR THEM, OTHERWISE WE SHOULD PUT INTO OPEN ACCESS!\nINSTRUCTION:\n1) Find 10 000 (10 thousand) rubles, not less. Suitable for the following - (Qiwi, Sberbank, Yandex.Money, Tinkoff Bank, VTB, but better Qiwi (faster)\n2) In the browser, open the site https://x-pay.cc/ - through this site you will transfer money\n3) In the column I DELETE where you will translate (according to item 1) and above enter the amount - 10,000 rubles.\n4) In the RIGHT I select Bitcoin and on top the amount should automatically be transferred tobtc\n5) In the column DATA ENTRY, fill in your requisites from where you will pay and where to transfer (Bitcoin wallet)\nATTENTION-ATTENTION,CORRECTly copy this number to a purse (yes, it's so strange)3FjtFZWjyj46UcfDY4AiUrEv7wLtyzZv5o After inserting, carefully, again check whether it is copied correctly.\n6) Click on GO TO PAY and follow the instructions on the site.\nIn a couple of hours we'll write you on the desktop and return everything to you.\nIf there are difficulties, then write on the mailbox - aoneder@mail.ru" + ], + "encryption": "AES-128", + "extensions": [ + ".enc", + ".ENC" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ", + "value": "RozaLocker Ransomware", + "uuid": "f158ea74-c8ba-4e5a-b07f-52bd8fe30888" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html" + ], + "ransomnotes": [ + "Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the \"Buy Bitcoins\" section and then buy Bitcoin Step 4: Go to the \"Send\" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear 'Check' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites." + ], + "encryption": "AES-128", + "extensions": [ + ".enc" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "CryptoMeister Ransomware", + "uuid": "4c76c845-c5eb-472c-93a1-4178f86c319b" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/gg-ransomware.html" + ], + "encryption": "AES-128", + "extensions": [ + ".GG" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016", + "value": "GG Ransomware", + "uuid": "f62eb881-c6b5-470c-907d-072485cd5860" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/project34-ransomware.html" + ], + "ransomnotes": [ + "(TRANSLATED BY THE SITE EDITOR) YOUR FILES HAVE BEEN LOCKED WITH A PASSWORD TO GET THE PASSWORD WRITE TO US AT project34@india.com WE WILL RESPOND TO YOU WITHIN 20 HOURS IN A MESSAGE, SPECIFY YOUR IP ADDRESS. YOU CAN FIND OUT AT 2IP.RU", + "\u041f\u0410\u0420\u041e\u041b\u042c.txt" + ], + "encryption": "AES-128", + "extensions": [ + ".Project34" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Project34 Ransomware", + "uuid": "4af0d2bd-46da-44da-b17e-987f86957c1d" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/petrwrap-ransomware.html", + "https://www.bleepingcomputer.com/news/security/petrwrap-ransomware-is-a-petya-offspring-used-in-targeted-attacks/", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", + "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-ZbWrN1LR-14/WMhPB7M8LBI/AAAAAAAAERQ/ZGG3RDHd8V0hwK_pf-vYChTn9VRpLBgNQCLcB/s1600/petya-based_ru_3.png" + ], + "encryption": "AES-128", + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "PetrWrap Ransomware", + "uuid": "e11da570-e38d-4290-8a2c-8a31ae832ffb" + }, + { + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", + "https://id-ransomware.blogspot.co.il/2017/03/karmen-ransomware.html", + "https://twitter.com/malwrhunterteam/status/841747002438361089" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-OmuOKzLOHnw/WMl74fSSaJI/AAAAAAAAESg/4CsOYOSuUeEhsO4jSi6k10sbb_1NnfYxACLcB/s1600/lock-screen.jpg" + ], + "encryption": "AES-128", + "extensions": [ + ".grt" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. RaaS, baed on HiddenTear", + "value": "Karmen Ransomware", + "uuid": "da7de60e-0725-498d-9a35-303ddb5bf60a" + }, + { + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", + "https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg", + "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.", + "# !!!HELP_FILE!!! #.txt" + ], + "encryption": "AES-256 + RSA-1024", + "extensions": [ + ".REVENGE" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant", + "value": "Revenge Ransomware", + "uuid": "987d36d5-6ba8-484d-9e0b-7324cc886b0e" + }, + { + "meta": { + "synonyms": [ + "Fake CTB-Locker" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html", + "https://twitter.com/JakubKroustek/status/842034887397908480" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-ccU4txzjpWg/WMl33c7YD3I/AAAAAAAAESU/moLHgQnVMYstKuHKuNgWKz8VbNv5ECdzACLcB/s1600/lock-note.jpg", + "FILES NUMBERED Your local drives, network folders, your external drives are encrypted using 256-bit encryption technology, this means your files are encrypted with a key. They cannot be opened without buying a decryption program and a private key, after the purchase, our program decrypts all your files and they will work like before. If you do not buy the program within 24 hours, then all your files will be permanently deleted. See the \"My Documents\" folder for more information in the file \"Beni Oku.txt\". Contact address: d3crypt0r@lelantos.org BTC address: 13hp68keuvogyjhvlf7xqmeox8dpr8odx5 You have to pay at BTC to the above address $ 150 Bitcoin You can do this by purchasing Bitcoinat www.localbitcoins.co Information: Using a computer recovery does not help. Antivirus scanning does not help to recover files, but can lead to loss.", + "Beni Oku.txt" + ], + "encryption": "AES", + "extensions": [ + ".encrypted" + ], + "date": "March 2017" + }, + "description": "his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Turkish FileEncryptor Ransomware", + "uuid": "a291ac4c-7851-480f-b317-e977a616ac9d" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/kirkspock-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/", + "https://www.bleepingcomputer.com/forums/t/642239/kirk-ransomware-help-support-topic-kirk-extension-ransom-notetxt/", + "http://www.networkworld.com/article/3182415/security/star-trek-themed-kirk-ransomware-has-spock-decryptor-demands-ransom-be-paid-in-monero.html", + "http://www.securityweek.com/star-trek-themed-kirk-ransomware-emerges", + "https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/", + "https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc/analysis/" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-USLFJX6OMD4/WMwmKIsJnEI/AAAAAAAAETQ/S8uzyHF5mWQZjra6EGBidZ6wqgzrNqIMgCLcB/s1600/full-ransom-note.png", + "!IMPORTANT ! READ CAREFULLY: Your computer has fallen victim to the Kirk malware and important files have been encrypted - locked up so they don't work. This may have broken some software, including games, office suites etc. Here's a list of some the file extensions that were targetted : *** There are an additional 441 file extensions that are targetted\n. They are mostly to do with games. To get your files back, you need to pay. Now. Payments\nrecieved more than 48 hours after the time of infection will be charged double. Further time penalties are listed below. The time of infection has been logged. Any files with the extensions listed above will now have the extra extension '.kirked\n', these files are encrypted using military grade encryption.In the place you ran this program from, you should find a note (named RANSOM_NOTE.txt) similar to this one.\nYou will also find a file named 'pwd' - this is your encrypted password file. Although it was generated by your computer, you have no way of ever decrypting it. This is due to the security of both the way it was generated and the way it was encrypted. Your files were encrypted using this password. SPOCK TO THE RESCUE!\n\"Logic, motherfucker.\" ~ Spock.\nDecrypting your files is easy. Take a deep breath and follow the steps below.1) Make the proper payment. Payments are made in Monero. This is a crypto-currency, like bitcoin. You can buy Monero, and send it, from the same places you can any othercrypto-currency. If you're still unsure, google' bitcoin exchange'. Sign up at one of these exchange sites and send the payment to the address below. Make note of the payment / transaction ID, or make one up if you have the option. Payment Address (Monero Wallet): 3000375 -199390 0 0 4AqSwfTexbNaHcn8giSJw3KPiWYHGBaCF9bdgPxvHbd5A8Q3Fc7n6FQCReEns8uEg8jUo4BeB79rwf4XSfQPVL1SKdVp2jz Prices: Days :Monero: Offer Expires\n 0-2 : 50 : 03/18/17 15:32:14\n 3-7 : 100 : 03/23/17 15:32:14\n 8-14 : 200 : 03/30/17 15:32:14\n 15-30 : 500 : 04/15/17 15:32:14 Note: In 31 days your password decryption key gets permanently deleted. You then have no way to ever retrieve your files. So pay now \n2) Email us Send your pwd file as an email attachment to one of the email addresses below. Include the payment ID from step 1. Active email addresses: kirk.help@scryptmail.com kirk.payments@scryptmail.com \n3) Decrypt your files. You will recieve your decrypted password file and a program called 'Spock'. Download these both to the same place and run Spock. Spock reads in your decrypted password file and uses it to decrypt all of the affected files on your computer. > IMPORTANT ! The password is unique to this infection. Using an old password or one from another machine will result in corrupted files. Corrupted files cannot be retrieved. Don't fuck around. \n4) Breathe. \nLIVE LONG AND PROSPER", + "RANSOM_NOTE.txt" + ], + "encryption": "AES+RSA", + "extensions": [ + ".kirked", + ".Kirked" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Payments in Monero", + "value": "Kirk Ransomware & Spock Decryptor", + "uuid": "6e442a2e-97db-4a7b-b4a1-9abb4a7472d8" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html", + "https://twitter.com/demonslay335?lang=en", + "https://twitter.com/malwrhunterteam/status/842781575410597894" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-t1Q-a7sJlag/WMw8MBNIrkI/AAAAAAAAET4/aycY-m5GXVYQjcbZJ8N0kIfUZ3onYt8AgCLcB/s1600/note.jpg", + "ZINO_NOTE.TXT" + ], + "encryption": "AES", + "extensions": [ + ".ZINO" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "ZinoCrypt Ransomware", + "uuid": "719c8ba7-598e-4511-a851-34e651e301fa" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84", + "http://www.fixinfectedpc.com/uninstall-crptxxx-ransomware-from-pc", + "https://twitter.com/malwrhunterteam/status/839467168760725508" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-itq9nR2EedY/WM2OPtDKCgI/AAAAAAAAEUI/KcC8vtnmlHENz0CSOvxqoYeZL8qdx1IZgCLcB/s1600/note_2.png", + "HOW_TO_FIX_!.txt" + ], + "encryption": "AES", + "extensions": [ + ".crptxxx" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3's UAC bypass", + "value": "Crptxxx Ransomware", + "uuid": "786ca8b3-6915-4846-8f0f-9865fbc295f5" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/", + "https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-suCNGXgzWuM/WM7HPujx_qI/AAAAAAAAEUk/gIvzbsbB_BUrBmmBsgpb_8w7zjwudu_mACLcB/s1600/note_2.png", + "motd.txt" + ], + "extensions": [ + ".enc" + ], + "date": "March 2017" + }, + "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "MOTD Ransomware", + "uuid": "5d1a3631-165c-4091-ba55-ac8da62efadf" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/cryptodevil-ransomware.html", + "https://twitter.com/PolarToffee/status/843527738774507522" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-i5iUwC8XWDo/WM7dSVNQ8UI/AAAAAAAAEVY/uXmUErkLgHcWbfpdw1zGTvwY9DimiAH8wCLcB/s1600/lock-panel.jpg", + "https://1.bp.blogspot.com/-9ovaMSUgtFQ/WM7dXo84tlI/AAAAAAAAEVc/_Zx9gZuvHA0tU9-jtzP492bXa5fQiL7kgCLcB/s1600/key-price.jpg" + ], + "encryption": "AES", + "extensions": [ + ".devil" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "CryptoDevil Ransomware", + "uuid": "f3ead274-6c98-4532-b922-03d5ce4e7cfc" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html", + "https://twitter.com/struppigel/status/837565766073475072" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-QuBYcLAKRPU/WLnE3Rn3MhI/AAAAAAAAEH4/WnC5Ke11j4MO7wmnfqBhtA-hpx6YN6TBgCLcB/s1600/note_2.png" + ], + "encryption": "AES-256+RSA", + "extensions": [ + ".locked" + ], + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", + "value": "FabSysCrypto Ransomware", + "uuid": "e4d36930-2e00-4583-b5f5-d8f83736d3ce" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/lock2017-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-FllHGqIx_JQ/WL1QF2uMCCI/AAAAAAAAEJQ/Fn-8j2t8dwgSo8YTHM1iOkL-3U_hbcaKwCLcB/s1600/Note_2.png" + ], + "encryption": "AES+RSA", + "extensions": [ + "[file_name.file_ext].id-[UserID]__contact_me_lock2017@protonmail.com_or_lock2017@unseen.is" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Lock2017 Ransomware", + "uuid": "cf47a853-bc1d-42ae-8542-8a7433f6c9c2" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/redants-ransomware.html" + ], + "encryption": "AES", + "extensions": [ + ".Horas-Bah" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "RedAnts Ransomware", + "uuid": "dd3601f1-df0a-4e67-8a20-82e7ba0ed13c" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/consoleapplication1-ransomware.html" + ], + "encryption": "AES", + "extensions": [ + ".locked" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "ConsoleApplication1 Ransomware", + "uuid": "4c3788d6-30a9-4cad-af33-81f9ce3a0d4f" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/krider-ransomware.html", + "https://twitter.com/malwrhunterteam/status/836995570384453632" + ], + "encryption": "AES", + "extensions": [ + ".kr3" + ], + "date": "March 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "KRider Ransomware", + "uuid": "f5ac03f1-4f6e-43aa-836a-cc7ece40aaa7" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/search?updated-min=2017-01-01T00:00:00-08:00&updated-max=2018-01-01T00:00:00-08:00&max-results=50" + ], + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg", + "value": "CYR-Locker Ransomware (FAKE)", + "uuid": "44f6d489-f376-4416-9ba4-e153472f75fc" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/dotransomware.html" + ], + "ransomnotes": [ + "DotRansomware Setup Guide \nAttention!!! \nWe recommend you to build your ransomware inside virtual machine! (But it is safe to use builder on your PC, just don't run builded exe file on your PC!) \nRecommendation: If you have got possibility to run ransomware on victim's computer with administrator privileges then do it. Because it will provide better conversion. Recommended decryption price: 0.1 Recommended special decryption prices: FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2 Recommended attacked extensions: *** Recommendation: You need to test builded exe file inside virtual machine, because operability can be broken after crypt/pack of core! \nLinks to website: ***", + "https://4.bp.blogspot.com/-BoKI2-Lhsp8/WLHq34zCtdI/AAAAAAAAECo/YkfIG29vRRsLvdn51ctrMEypptRzZS2IgCLcB/s1600/raas.png" + ], + "encryption": "AES", + "extensions": [ + ".locked" + ], + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "DotRansomware", + "uuid": "0570e09d-10b9-448c-87fd-c1c4063e6592" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html", + "https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-92aP_sumdLo/WLAy3D2kLvI/AAAAAAAAEAQ/FA1j--rOIygsNbDAWqrDqufT7zSwuEnvQCLcB/s1600/note-html_2.png", + "https://3.bp.blogspot.com/-E1vV0sqaw2o/WLB1OvOLCPI/AAAAAAAAEAg/D4OkAOBT_uM4DeVS1hAu6eBGcmga8CSYwCLcB/s1600/site1.png", + "ReadMe-[3_random_chars].html" + ], + "encryption": "AES", + "extensions": [ + ".locked-[3_random_chars]" + ], + "date": "February 2017" + }, + "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Unlock26 Ransomware", + "uuid": "37b9a28d-8554-4233-b130-efad4be97bc0" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/pickles-ransomware.html", + "https://twitter.com/JakubKroustek/status/834821166116327425" + ], + "ransomnotes": [ + "READ_ME_TO_DECRYPT.txt" + ], + "encryption": "AES", + "extensions": [ + ".EnCrYpTeD" + ], + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware", + "value": "PicklesRansomware", + "uuid": "87171865-9fc9-42a9-9bd4-a453f556f20c" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/vanguard-ransomware.html", + "https://twitter.com/JAMESWT_MHT/status/834783231476166657" + ], + "ransomnotes": [ + "NOT YOUR LANGUAGE? https://translate.google.com Your personal files and documents have been encrypted withAES-256 and RSA-2048! Decrypting your files is only possible with decrypt key stored on our server. Price for key is % bitcoin % BTC (Bitcoin).\n1. Send % bitcoin % BTC to % bitcoinaddress % http://www.coindesk.com/information/how-can-i-buy-bitcoins/ https://www.bitcoin.com/buy-bitcoin \n2. Wait some time for transaction to process \n3. PRIVATE KEY WILL BE DOWNLOADED AND SYSTEM WILL AUTOMATICALLY DECRYPT YOUR FILES! \nIf you do not pay within % hoursvalid % hours key will become DESTROYED and your files LOST forever! Removing this software will make recovering files IMPOSSIBLE! Disable your antivirus for safety." + ], + "encryption": "ChaCha20 and Poly1305", + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware", + "value": "Vanguard Ransomware", + "uuid": "6a6eed70-3f90-420b-9e4a-5cce9428dc06" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/pyl33t-ransomware.html", + "https://twitter.com/Jan0fficial/status/834706668466405377" + ], + "ransomnotes": [ + "ATTENTION You Have Been Infected With Ransomware. Please Make Note of Your Unique Idenfier : *** " + ], + "encryption": "ChaCha20 and Poly1305", + "extensions": [ + ".d4nk" + ], + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "PyL33T Ransomware", + "uuid": "305cb1fb-d43e-4477-8edc-90b34aaf227f" + }, + { + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/", + "https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-24th-2017-trump-locker-macos-rw-and-cryptomix/" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/u/986406/Ransomware/TrumpLocker/TrumpLocker-wallpaper.jpg", + "What happen to my files.txt" + ], + "encryption": "AES-128", + "extensions": [ + ".trumplockerf", + ".TheTrumpLockerf", + ".TheTrumpLockerfp" + ], + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg", + "value": "TrumpLocker Ransomware", + "uuid": "63bd845c-94f6-49dc-8f0c-22e6f67820f7" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/damage-ransomware.html", + "https://decrypter.emsisoft.com/damage", + "https://twitter.com/demonslay335/status/835664067843014656" + ], + "ransomnotes": [ + "TtWGgOd57SvPlkgZ***\n ==========\n end of secret_key \nTo restore your files - send e-mail to damage@india.com" + ], + "encryption": "AES-128 OR Combination of SHA-1 and Blowfish", + "extensions": [ + ".damage" + ], + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Written in Delphi", + "value": "Damage Ransomware", + "uuid": "fbcb6a4f-1d31-4e31-bef5-e162e35649de" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/xyzware-ransomware.html", + "https://twitter.com/malwrhunterteam/status/833636006721122304" + ], + "ransomnotes": [ + "All your files has been encrypted with RSA-2048 and AES-128. There is no way to decrypt without private key and decrypt program. You can buy the private key and the decrypt program just for 0.2 BTC (Bitcoin) You have 48 hours to buy it. After that, your private key will gone and we can't guarantee to decrypt.Email me for more information about how to buy it at cyberking@indonesianbacktrack.or.id" + ], + "encryption": "AES-128", + "extensions": [ + "your files get marked with: \u201cyouarefucked\u201d" + ], + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", + "value": "XYZWare Ransomware", + "uuid": "f0652feb-a104-44e8-91c7-b0435253352b" + }, + { + "meta": { + "refs": [ + "https://www.enigmasoftware.com/youarefuckedransomware-removal/" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-S0-Bop8XUgk/WLD_RVgldgI/AAAAAAAAEBU/r2LmgjTHUbMTtIKGH2pHdKfFXcUEOQdMgCLcB/s1600/lock-act2.png" + ], + "encryption": "AES-128", + "extensions": [ + "your files get marked with: \u201cyouarefucked\u201d" + ], + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "YouAreFucked Ransomware", + "uuid": "912af0ef-2d78-4a90-a884-41f3c37c723b" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-M2CMU8RPgqw/WLfqOCgNXrI/AAAAAAAAEGA/W-uAf30qQgoZxqRwblUcSKzYrM5QmcLfgCLcB/s1600/note-html_2.png", + "How decrypt files.hta" + ], + "encryption": "AES", + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ", + "value": "CryptConsole 2.0 Ransomware", + "uuid": "7343da8f-fe18-46c9-8cda-5b04fb48e97d" + }, + { + "meta": { + "synonyms": [ + "BarRaxCrypt Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html", + "https://twitter.com/demonslay335/status/835668540367777792" + ], + "encryption": "AES", + "extensions": [ + ".barRex", + ".BarRax" + ], + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", + "value": "BarRax Ransomware", + "uuid": "c0ee166e-273f-4940-859c-ba6f8666247c" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/cryptolocker-by-ntk-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-hvTBarxSO8Y/WKs5kjdpgDI/AAAAAAAAD9Q/m3louiSE6xY0BcGjnWvg_NNDU6K1ok3ggCLcB/s1600/lock.jpg" + ], + "encryption": "AES", + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "CryptoLocker by NTK Ransomware", + "uuid": "51bcbbc6-d8e0-4d2b-b5ce-79f26d669567" + }, + { + "meta": { + "synonyms": [ + "CzechoSlovak Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/userfileslocker-ransomware.html" + ], + "ransomnotes": [ + "All of your personal information, unfortunately for you, were encrypted\nStep 1 - PAYMENT\nStep 2 - Tell us\nStep 3 - Data Recovery\nYour data and files were encrypted, unfortunately, you need our key. For the encryption each key is unique AES-256 is created on the computer. At the moment, all the files are already encrypted and the keys securely stored in an encrypted form with RSA-2048. \nOnly one way you can recover your files - make payment in Bitcoins and get our key for decryption. Do not believe in any fairy tales on the Internet, it can be circumvented if it was easy, a lot of things in the world stopped working. \nPay according to the instructions, click through the tabs, and wait for your keys. We value the market professional customer service and reputation, so will try to unlock your files as soon as possible.\nPayment Amount: 0,8 BTC\nPayment Amount: 2.1 BTC (another option)", + "https://3.bp.blogspot.com/-0D8XdlTNIsA/WLXFiBWz5II/AAAAAAAAEFQ/Hojw0BHHysUieiCnidoVwTrqXVCckLkSQCLcB/s1600/lock-screen.jpg" + ], + "encryption": "AES-256+RSA", + "extensions": [ + ".ENCR" + ], + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "UserFilesLocker Ransomware", + "uuid": "c9e29151-7eda-4192-9c34-f9a81b2ef743" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017_03_01_archive.html", + "https://id-ransomware.blogspot.co.il/2017/03/avastvirusinfo-ransomware.html" + ], + "encryption": "AES-256+RSA", + "extensions": [ + ".A9v9Ahu4-000" + ], + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!", + "value": "AvastVirusinfo Ransomware", + "uuid": "78649172-cf5b-4e8a-950b-a967ff700acf" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/03/suchsecurity-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-OCBIabrrZNg/WLm1RGFVKEI/AAAAAAAAEHY/1MASb-0Y7jsBlE2TzyqgknrfDhuEsNx2gCLcB/s1600/Screenshot_1.png" + ], + "encryption": "AES", + "date": "February 2017" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "SuchSecurity Ransomware", + "uuid": "22481dfd-8284-4071-a76f-c9a4a5f43f00" + }, + { + "meta": { + "synonyms": [ + "VHDLocker Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/vhd-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-viZiAZr3_ns/WKrIDWEEBXI/AAAAAAAAD8c/8n1RJ9m2Odoe3bvMMmIm421NdxS-OIRzQCLcB/s1600/note_2.png" + ], + "encryption": "AES-256", + "date": "February 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "PleaseRead Ransomware", + "uuid": "9de7a1f2-cc21-40cf-b44e-c67f0262fbce" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html", + "https://twitter.com/MarceloRivero/status/832302976744173570", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-ehXlWPLxtR8/WKdHF_Y-MeI/AAAAAAAAD5A/KKXO-S9OtMQAcNM-IOV2ees8qKlAJ3pzACLcB/s1600/note.jpg", + "INSTRUCCIONES.txt" + ], + "extensions": [ + "[KASISKI]" + ], + "date": "February 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Kasiski Ransomware", + "uuid": "59b537dc-3764-42fc-a416-92d2950aaff1" + }, + { + "meta": { + "synonyms": [ + "Locky Impersonator Ransomware" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/", + "https://id-ransomware.blogspot.co.il/2017/02/locky-impersonator.html", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/" + ], + "ransomnotes": [ + "Files has been encrypted with Locky Ransomware, Do not alter your files or you will not be able to recover anything nobody will be able to recover your data since its set to AES-256 and requires our Key Send me 1.0 bitcoins Send payment to this Address: 13DYdAKb8nfo1AYeGpJXwKZYupyeqYu2QZ For Instructions on how to Purchase & send bitcoin refer to this link : *** for support Email: lockyransomware666@sigaint.net After 48 Hours your ransom doubles to 2.0 BTC After 72 Hours we will delete your recovery keys" + ], + "encryption": "AES", + "extensions": [ + ".locked" + ], + "date": "February 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Fake Locky Ransomware", + "uuid": "26a34763-a70c-4877-b99f-ae39decd2107" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/cryptoshield-2-ransomware.html", + "https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/" + ], + "ransomnotes": [ + "# RESTORING FILES #.txt", + "# RESTORING FILES #.html", + "https://2.bp.blogspot.com/-A-N9zQgZrhE/WJHAHzuitvI/AAAAAAAADhI/AHkLaL9blZgqQWc-sTevVRTxVRttbugoQCLcB/s1600/note-2.png" + ], + "encryption": "AES(256)/ROT-13", + "extensions": [ + ".CRYPTOSHIELD (The name is first changed using ROT-13, and after a new extension is added.)" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMix family.", + "value": "CryptoShield 1.0 Ransomware", + "uuid": "1f915f16-2e2f-4681-a1e8-e146a0a4fcdf" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/", + "https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/", + "https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-nzY6thZOXSk/WKbYmWxa0rI/AAAAAAAAD3s/t_3d90FGOe8je8rfeeYLF1jzJinG5JMVgCLcB/s1600/note_2_2.png", + "https://3.bp.blogspot.com/-Yisae5e5Pjs/WKbXmIXU8YI/AAAAAAAAD3g/WZs5XzL4l4snT2j4yfc3CAaF7KonH_DQACLcB/s1600/note_1.png", + "DECRYPT_INFORMATION.html", + "UNIQUE_ID_DO_NOT_REMOVE" + ], + "encryption": "AES", + "extensions": [ + ".locked" + ], + "date": "February 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Filemarker: \"HERMES\"", + "value": "Hermes Ransomware", + "uuid": "b7102922-8aad-4b29-8518-6d87c3ba45bb" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/lovelock-ransomware.html" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-YdCKWLUFBOo/WKRCD2BLzTI/AAAAAAAAD14/BPtYMLvQpEMAbT-ZdiCVPi_LZCrXYJMhwCLcB/s1600/ReadME%2521.txt.jpg" + ], + "encryption": "AES", + "extensions": [ + ".hasp" + ], + "date": "February 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "LoveLock Ransomware or Love2Lock Ransomware", + "uuid": "0785bdda-7cd8-4529-b28e-787367c50298" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/wcry-ransomware.html" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-iUq492KUatk/WKH-GXnO4-I/AAAAAAAADzw/9uwo1LF5ciIvMJ6jAn3mskSqtdiTkxvlACLcB/s1600/lock-note.jpg" + ], + "encryption": "AES", + "extensions": [ + ".wcry" + ], + "date": "February 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Wcry Ransomware", + "uuid": "0983bdda-c637-4ad9-a56f-615b2b052740" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/dumb-ransomware.html", + "https://twitter.com/bleepincomputer/status/816053140147597312?lang=en" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-_Udncaac_gM/WKROBN00ORI/AAAAAAAAD2U/HsHkEspG85YSfPg-8MbPYYTYmBU4PAJAgCLcB/s1600/note_2.png", + "https://4.bp.blogspot.com/-Vx9ZtCODajg/WKiMr2QX5cI/AAAAAAAAD64/QAh37o_CRIImaxUfIhoEh8qE4JLn5HaNwCLcB/s1600/dumb.jpg" + ], + "encryption": "AES", + "date": "February 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "DUMB Ransomware", + "uuid": "27feba66-e9c7-4414-a560-1e5b7da74d08" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017_02_01_archive.html", + "https://id-ransomware.blogspot.co.il/2017/02/x-files-ransomware.html" + ], + "encryption": "AES", + "extensions": [ + ".b0C", + ".b0C.x" + ], + "date": "February 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "X-Files", + "uuid": "c24f48ca-060b-4164-aafe-df7b3f43f40e" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/polski-ransomware.html" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-ahpZEI1FHQM/WJd7_dpYlyI/AAAAAAAADm8/4-nFXqc9bjEI93VDJRdsLSlBOwQiaM7swCLcB/s1600/note.jpg" + ], + "encryption": "AES-256", + "extensions": [ + ".aes" + ], + "date": "February 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The Ransom is 249$ and the hacker demands that the victim gets in contact through e-mail and a Polish messenger called Gadu-Gadu.", + "value": "Polski Ransomware", + "uuid": "b50265ac-ee45-4f5a-aca1-fabe3157fc14" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html", + "https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/", + "https://twitter.com/_ddoxer/status/827555507741274113" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-dFQlF_6uTkI/WJYigC5GwiI/AAAAAAAADlk/jm-ZwqJ2mVYd2gtAQgYW_lOd78u5N2x0ACLcB/s1600/note_2.png", + "README.txt" + ], + "encryption": "AES-256", + "extensions": [ + ".yourransom" + ], + "date": "February 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This hacker demands that the victim contacts him through email and decrypts the files for FREE.(moreinfo in the link below)", + "value": "YourRansom Ransomware", + "uuid": "908b914b-6744-4e16-b014-121cf2106b5f" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/ranion-raas.html", + "https://www.bleepingcomputer.com/news/security/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-ORiqmM6oWXc/WJV7X4IvTWI/AAAAAAAADlE/wXvz5Hsv1gQ-UrLoA1plVjLTVD7iDDxwQCLcB/s1600/buy_2.png" + ], + "encryption": "AES-256", + "date": "February 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below). RaaS service", + "value": "Ranion RaasRansomware", + "uuid": "b4de724f-add4-4095-aa5a-e4d039322b59" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/polato-ransomware.html" + ], + "ransomnotes": [ + "How to recover my files.txt", + "README.png", + "README.html", + "https://2.bp.blogspot.com/-E9GDxEoz95k/WIop79nWZ2I/AAAAAAAADZU/CnsvOl96yesoH07BZ2Q05Fp40kLcTMmqQCLcB/s1600/note.jpg" + ], + "encryption": "AES-256", + "extensions": [ + ".potato" + ], + "date": "January 2017" + }, + "description": "Wants a ransom to get the victim\u2019s files back . Originated in English. Spread worldwide.", + "value": "Potato Ransomware", + "uuid": "378cb77c-bb89-4d32-bef9-1b132343f3fe" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/opentodecrypt-ransomware.html" + ], + "ransomnotes": [ + "!!!.txt", + "1.bmp", + "1.jpg", + "https://3.bp.blogspot.com/-RPeHrC9Trqk/WGk1kQlBQQI/AAAAAAAAC6o/FutnWrlUf44hq54_xI_6Uz2migCR0rwlwCLcB/s1600/Note-wallp.jpg", + "Your files are encrypted! To decrypt write on email - opentoyou@india.comIdentification key - 5E1C0884" + ], + "encryption": "RC4", + "extensions": [ + ".-opentoyou@india.com" + ], + "date": "December 2016/January 2017" + }, + "description": "This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", + "value": "of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)", + "uuid": "e290fa29-6fc1-4fb5-ac98-44350e508bc1" + }, + { + "meta": { + "refs": [ + "http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html", + "https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html", + "https://twitter.com/jiriatvirlab/status/825411602535088129" + ], + "ransomnotes": [ + "YOUR FILES ARE ENCRYPTED!!!.txt", + "https://2.bp.blogspot.com/-uIb_TdWTk3Q/WI2qRSlsXJI/AAAAAAAADcE/h92XEY6AraQMUwEIOBZ9moxN1J2So8xpwCLcB/s1600/note_2.png", + "YOUR FILES ARE ENCRYPTED!!! To restore (decrypt) them you must:\n1. Pay 0.25 bitcoin (btc) to address 36QLSB*** You can get BTC on this site http://localbitcoins.com \n2. After payment you must send Bitcoin Transacation ID to E-mail: andresaha82@gmail.com Then we will send you decryption tool." + ], + "encryption": "AES", + "extensions": [ + ".encrypted" + ], + "date": "January 2017" + }, + "description": "Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", + "value": "RansomPlus", + "uuid": "c039a50b-f5f9-4ad0-8b66-e1d8cc86717b" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/", + "https://twitter.com/PolarToffee/status/824705553201057794" + ], + "ransomnotes": [ + "How decrypt files.hta", + "Your files are encrypted! Your personal ID764F6A6664514B414373673170615339554A534A5832546A55487169644B4A35 Discovered a serious vulnerability in your network security. No data was stolen and no one will be able to do it while they are encrypted. For you we have automatic decryptor and instructions for remediation. How to get the automatic decryptor : \n1) Pay 0,25 BTC Buy BTC on one of these sites: https://localbitcoins.com https://www.coinbase.com https://xchange.cc bitcoin adress for pay: 1KG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm Send 0,25 BTC \n2) Send screenshot of payment to unCrypte@outlook.com. In the letter include your personal ID (look at the beginning of this document). \n3) You will receive automatic decryptor and all files will be restored \n* To be sure in getting the decryption, you can send one file (less than 10MB) to unCrypte@outlook.com In the letter include your personal ID (look at the beginning of this document). But this action will increase the cost of the automatic decryptor on 0,25 btc... \nAttention! \n\u2022 No Payment = No decryption \n\u2022 You really get the decryptor after payment \n\u2022 Do not attempt to remove the program or run the anti-virus tools \n\u2022 Attempts to self-decrypting files will result in the loss of your data \n\u2022 Decoders other users are not compatible with your data, because each user's unique encryption key" + ], + "encryption": "AES", + "extensions": [ + ".unCrypte@outlook.com_<random_numbers_and_upper_alphabetic_characters> ", + ".decipher_ne@outlook.com_<random_numbers_and_upper_alphabetic_characters" + ], + "date": "January 2017" + }, + "description": "This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files", + "value": "CryptConsole", + "uuid": "42508fd8-3c2d-44b2-9b74-33c5d82b297d" + }, + { + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/forums/t/638191/zxz-ransomware-support-help-topic-zxz/?hl=%2Bzxz#entry4168310", + "https://id-ransomware.blogspot.co.il/2017/01/zxz-ransomware.html" + ], + "extensions": [ + ".zxz" + ], + "date": "January 2017" + }, + "description": "Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A", + "value": "ZXZ Ramsomware", + "uuid": "e4932d1c-2f97-474d-957e-c7df87f9591e" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/vxlock-ransomware.html" + ], + "encryption": "AES+RSA", + "extensions": [ + ".vxlock" + ], + "date": "January 2017" + }, + "description": "Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF\u2026 etc", + "value": "VxLock Ransomware", + "uuid": "14deb95c-7af3-4fb1-b2c1-71087e1bb156" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/funfact.html", + "http://www.enigmasoftware.com/funfactransomware-removal/" + ], + "ransomnotes": [ + "note.iti", + "Important Information!!!! You had bad luck. All your files are encrypted with RSA and AES ciphers. to get your files back read carefully. if you do not understand, Read again. All your documents are recoverable only with our software and key file. To decrypt files you need to contact worldfunfact@sigaint.org or funfacts11@tutanota.com and set your ID as email title and send clsign.dll file from your computer. That is the key file and yes, it\u2019s encrypted. Search your computer for filename \u201cclsign.dll\u201d attach it to email. if you wish we will decrypt one of your encrypted file for free! It\u2019s your guarantee. After you made payment you will receive decryption software with key and necessary instructions. if you don\u2019t contact us within 72 hours we will turn on sanctions. you\u2019ll have to pay more. Recovery is only possible during 7 days. after that don\u2019t contact us. Remember you are just single payment away from all your files If your files are urgent pay exactly requested amount to Bitcoin (BTC) address and send clsign.dll file to us. We will send your decryption software within 24 hours; remember if you contact us first maybe you\u2019ll have to pay less\nUser ID: 658061***\nBTC Address: 1AQrj***\nAmount(BTC): 1.65806\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion:\nGnuPG\nv2\n*******************************\n-----END PGP PUBLIC KEY BLOCK-----" + ], + "encryption": "AES+RSA", + "date": "January 2017" + }, + "description": "Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.", + "value": "FunFact Ransomware", + "uuid": "2bfac605-a2c5-4742-92a2-279a08a4c575" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/06/zekwacrypt-ransomware.html", + "http://www.2-spyware.com/remove-zekwacrypt-ransomware-virus.html" + ], + "ransomnotes": [ + "encrypted_readme.txt", + "__encrypted_readme.txt", + "https://2.bp.blogspot.com/-CLo4JTpveKY/WI4sVXEQSPI/AAAAAAAADcU/n8qrwehDEQMlG845cjNow_fC4PDqlvPIQCLcB/s1600/note_2.png", + "WARNING! Your personal files are encrypted! Your most important files on this computer have been encrypted: photos, documents, videos, music, etc. You can verify this by trying to open such files. Encryption was produced using an UNIQUE public RSA-4096 key, specially generated for this computer only, thus making it impossible to decrypt such files without knowing private key and comprehensive decipher software. We have left on our server a copy of the private key, along with all required software for the decryption. To make sure that software is working as intended you have a possibility to decrypt one file for free, see contacts below. The private key will be destroyed after 7 days, afterwards making it impossible to decrypt your files. Encryption date: *** Private key destruction date: *** For obtaining decryption software, please, contact: myserverdoctor@gmail.com or XMPP jabber: doctordisk@jabbim.com" + ], + "encryption": "AES+RSA", + "extensions": [ + ".<7_random_letters>" + ], + "date": "January 2017" + }, + "description": "First spotted in May 2016, however made a big comeback in January 2017. It\u2019s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", + "value": "ZekwaCrypt Ransomware", + "uuid": "89d5a541-ef9a-4b18-ac04-2e1384031a2d" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html", + "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", + "http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom", + "https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/", + "https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-generation-algorithm-ipga" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-6YhxRaqa_9Q/WISA9dW31bI/AAAAAAAADUE/78mNNKpPMyc2Gzi1N9CooyQp7RNT40NNgCLcB/s1600/note1_2.png", + "https://1.bp.blogspot.com/-_c5vGu4nCvE/WIT_pWP_FSI/AAAAAAAADUs/8hK8a4E48sY3U_aAHC2qNzYDBL0bQcNjgCLcB/s1600/note-wallp111.png", + "!Recovery_[3_random_chars].html" + ], + "encryption": "AES", + "extensions": [ + ".sage" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker", + "value": "Sage 2.0 Ransomware", + "uuid": "9174eef3-65f7-4ab5-9b55-b323b36fb962" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/cloudsword.html", + "http://bestsecuritysearch.com/cloudsword-ransomware-virus-removal-steps-protection-updates/", + "https://twitter.com/BleepinComputer/status/822653335681593345" + ], + "ransomnotes": [ + "Warning\u8b66\u544a.html", + "https://4.bp.blogspot.com/-OTxFEWf7LiY/WIO0rJmBgJI/AAAAAAAADTQ/U3BLcd2-CPQQ_73eIKIyg28cKFmw4nctgCLcB/s1600/note.jpg" + ], + "encryption": "AES", + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. Uses the name \u201cWindow Update\u201d to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", + "value": "CloudSword Ransomware", + "uuid": "a89e0ae0-e0e2-40c5-83ff-5fd672aaa2a4" + }, + { + "meta": { + "synonyms": [ + "Fake" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/dn-donotopen.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-llR46G5zOBE/WIJuTTHImXI/AAAAAAAADS8/Ww_QU1Z7Q3geZgiSStJB3siO3oQJpIcowCLcB/s1600/note.jpg", + "https://4.bp.blogspot.com/-ilIaUD5qOuk/WIJuV1TuC1I/AAAAAAAADTA/SOj8St_qXMsgDexK1BGgZT0yFDkNDz_7QCLcB/s1600/lock.jpg" + ], + "encryption": "AES", + "extensions": [ + ".killedXXX" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. Uses the name \u201cChrome Update\u201d to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!", + "value": "DN", + "uuid": "327eb8b4-5793-42f0-96c0-7f651a0debdc" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/garryweber.html" + ], + "ransomnotes": [ + "HOW_OPEN_FILES.html", + "https://1.bp.blogspot.com/-w6lxK0qHj8A/WIO_iAngUzI/AAAAAAAADTk/dLGlrwwOh508AlG2ojLRszpUxL0tHrtSQCLcB/s1600/note-html.jpg" + ], + "encryption": "AES", + "extensions": [ + ".id-_garryweber@protonmail.ch" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc..", + "value": "GarryWeber Ransomware", + "uuid": "b6e6da33-bf23-4586-81cf-dcfe10e13a81" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html", + "https://www.bleepingcomputer.com/forums/t/637811/satan-ransomware-help-support-topic-stn-extension-help-decrypt-fileshtml/", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/", + "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", + "https://twitter.com/Xylit0l/status/821757718885236740" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-5BgSHIym-8Y/WIH92q4ymHI/AAAAAAAADSk/MF2T-mmhuY4irQZFqmpGZjmUI2onlNCyACLcB/s1600/ransom-note.png", + "HELP_DECRYPT_FILES.html" + ], + "encryption": "AES-256 + RSA-2048", + "extensions": [ + ".stn" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS", + "value": "Satan Ransomware", + "uuid": "61d8bba8-7b22-493f-b023-97ffe7f17caf" + }, + { + "meta": { + "synonyms": [ + "HavocCrypt Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/havoc-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-Xs7yigomWw8/WH0mqn0QJLI/AAAAAAAADKA/0Fk5QroMsgQ3AsXbHsbVtopcJN4qzDgdACLcB/s1600/note.jpg" + ], + "encryption": "AES", + "extensions": [ + ".HavocCrypt" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..", + "value": "Havoc", + "uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/cryptosweettooth.html", + "http://sensorstechforum.com/remove-cryptosweettooth-ransomware-restore-locked-files/" + ], + "ransomnotes": [ + "IMPORTANTE_LEER.html", + "RECUPERAR_ARCHIVOS.html", + "https://3.bp.blogspot.com/-KE6dziEK4To/WHnvPzKOs7I/AAAAAAAADHI/KPBjmO9iChgAa12-f1VOxF49Pv27-0XfQCLcB/s1600/note.jpg" + ], + "encryption": "AES", + "extensions": [ + ".locked" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Its fake name is Bitcoin and maker\u2019s name is Santiago. Work of the encrypted requires the user to have .NET Framework 4.5.2. on his computer.", + "value": "CryptoSweetTooth Ransomware", + "uuid": "ca831782-fcbf-4984-b04e-d79b14e48a71" + }, + { + "meta": { + "synonyms": [ + "RansomTroll Ransomware", + "K\u00e4\u00e4nds\u00f5na Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html", + "https://twitter.com/BleepinComputer/status/819927858437099520" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-v3jncd77m3U/WHkjPoEusKI/AAAAAAAADGE/xJOIgzm-ST0L4kpNeThKTyfukq3e1Th-QCLcB/s1600/troll-22.png", + "You have been struck by the holy Kaandsona ransomware Either you pay 1 BTC in 24 hours or you lose ALL FILES \nbutton 'Show all encrypted files' \nbutton 'PAY'" + ], + "encryption": "AES", + "extensions": [ + ".kencf" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts", + "value": "Kaandsona Ransomware", + "uuid": "aed61a0a-dc48-43ac-9c33-27e5a286899e" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/lambdalocker.html", + "http://cfoc.org/how-to-restore-files-affected-by-the-lambdalocker-ransomware/" + ], + "ransomnotes": [ + "READ_IT.hTmL", + "https://1.bp.blogspot.com/-B3o6bGziu_M/WHkyueI902I/AAAAAAAADGw/la7psCE9JEEe17GipFh69xVnIDYGFF38wCLcB/s1600/note-1-2.gif" + ], + "encryption": "AES-256", + "extensions": [ + ".lambda_l0cked" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware", + "value": "LambdaLocker Ransomware", + "uuid": "0d1b35e9-c87a-4972-8c27-a11c13e351d7" + }, + { + "meta": { + "synonyms": [ + "HakunaMatataRansomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/hakunamatata.html", + "https://id-ransomware.blogspot.co.il/2016_03_01_archive.html" + ], + "ransomnotes": [ + "Recovers files yako.html", + "https://4.bp.blogspot.com/-DUXeyyzqwKs/WHkrGvLyFvI/AAAAAAAADGg/SPfrNMZYGs8edE7X5z-3MBroIqS5GQ8kACLcB/s1600/note_1-str_2.png" + ], + "encryption": "AES", + "extensions": [ + ".HakunaMatata" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "NMoreia 2.0 Ransomware", + "uuid": "0645cae2-bda9-4d68-8bc3-c3c1eb9d1801" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/marlboro.html", + "https://decrypter.emsisoft.com/marlboro", + "https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-7UmhPM2VSKY/WHe5tDsHfuI/AAAAAAAADFM/FRdUnAyxAggvF0hX0adtrpq48F7HXPbawCLcB/s1600/check-decrypt.png", + "https://1.bp.blogspot.com/-MWRTa6aXtdk/WHflJFyb-GI/AAAAAAAADFs/dc-l-RrWSCAPE8akw2SCb1uuj-a-2shiwCLcB/s1600/docm.png", + "_HELP_Recover_Files_.html" + ], + "encryption": "XOR", + "extensions": [ + ".oops" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it\u2019s just XOR)", + "value": "Marlboro Ransomware", + "uuid": "4ae98da3-c667-4c6e-b0fb-5b52c667637c" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html", + "https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware", + "http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-0COE3ADdaYk/WHpnHzuo7OI/AAAAAAAADHY/yfDF3XG720Yyn3xQHwFngt1T99cT-Xt3wCLcB/s1600/rus-note_2.png", + "[Infection-ID].HTML" + ], + "encryption": "AES+RSA", + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png", + "value": "Spora Ransomware", + "uuid": "46601172-d938-47af-8cf5-c5a796ab68ab" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/cryptokill-ransomware.html" + ], + "encryption": "AES+RSA", + "extensions": [ + ".crypto" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files get encrypted, but the decrypt key is not available. NO POINT OF PAYING THE RANSOM, THE FILES WILL NOT BE RETURNED.", + "value": "CryptoKill Ransomware", + "uuid": "7ae2f594-8a72-4ba8-a37a-32457d1d3fe8" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/allyourdocuments-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-mwIvQNkFH4g/WKAydZnGn_I/AAAAAAAADxs/6xHgbD3OUFUbebeuNVkI6tp_cMRVUQHtQCLcB/s1600/note_2.png" + ], + "extensions": [ + "AES+RSA" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "All_Your_Documents Ransomware", + "uuid": "62120e20-21f6-474b-9dc1-fc871d25c798" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/serbransom-2017.html", + "https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/", + "https://twitter.com/malwrhunterteam/status/830116190873849856" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-OY8jgTN5Y9Q/WKAI6a9xfMI/AAAAAAAADwc/ng36hAXsvfYQ5rdkSFeVgEvLY88pJmnWACLcB/s1600/note-html-wallp.jpg", + "https://3.bp.blogspot.com/-DQQ5tk0C9lY/WKALND0dYPI/AAAAAAAADwo/EuKiO_F0Mn0ImrGLVE-Sks-j93pHoTjKACLcB/s1600/konstr.jpg" + ], + "encryption": "AES", + "extensions": [ + ".velikasrbija" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 500$ in bitcoins. The name of the hacker is R4z0rx0r Serbian Hacker.", + "value": "SerbRansom 2017 Ransomware", + "uuid": "fb1e99cb-73fa-4961-a052-c90b3f383542" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/fadesoft-ransomware.html", + "https://twitter.com/malwrhunterteam/status/829768819031805953", + "https://twitter.com/malwrhunterteam/status/838700700586684416" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-5t-5eBl4Tng/WKARmYV5GVI/AAAAAAAADxA/OuS7Eo__z1sh2tRbBpQIxJQ6IVbSiQakwCLcB/s1600/lock-note.jpg" + ], + "encryption": "AES", + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 0.33 bitcoins.", + "value": "Fadesoft Ransomware", + "uuid": "ccfe7f6a-9c9b-450a-a4c7-5bbaf4a82e37" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/hugeme-ransomware.html", + "https://www.ozbargain.com.au/node/228888?page=3", + "https://id-ransomware.blogspot.co.il/2016/04/magic-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-kolk6sABFzQ/WJ95ddcAxNI/AAAAAAAADwI/oP8ZFD7KnqoQWgpfgEHId843x3l0xfhjACLcB/s1600/note_2.png" + ], + "encryption": "AES-256 + RSA-2048", + "extensions": [ + ".encypted" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "HugeMe Ransomware", + "uuid": "681ad7cc-fda0-40dc-83b3-91fdfdec81e1" + }, + { + "meta": { + "synonyms": [ + "DynA CryptoLocker Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/dyna-crypt-ransomware.html", + "https://www.bleepingcomputer.com/news/security/dyna-crypt-not-only-encrypts-your-files-but-also-steals-your-info/" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-Qx8RhielSbI/WJypR9Zw9nI/AAAAAAAADus/Opsfy8FxRIIBmouywdl7uT94ZpfwKr6JACLcB/s1600/note.jpg" + ], + "encryption": "AES-256 + RSA-2048", + "extensions": [ + ".crypt" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "DynA-Crypt Ransomware", + "uuid": "9979ae53-98f7-49a2-aa1e-276973c2b44f" + }, + { + "meta": { + "synonyms": [ + "Serpent Danish Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/serpent-danish-ransomware.html" + ], + "ransomnotes": [ + "==== NEED HELP WITH TRANSLATE? USE https://translate.google.com ====\n================ PLEASE READ THIS MESSAGE CAREFULLY ================\n Your documents, photos, videos, databases and other important files have been encrypted! The files have been encrypted using AES256 and RSA2048 encryption (unbreakable) To decrypt your files you need to buy the special software 'SerpentDecrypter'.You can buy this software on one of the websites below. xxxx://vdpbkmwbnp.pw/00000000-00000000-00000000-00000000 xxxx://hnxrvobhgm.pw/00000000-00000000-00000000-00000000 If the websites above do not work you can use a special website on the TOR network. Follow the steps below\n1. Download the TOR browser https://www.torproject.org/projects/torbrowser.html.en#downloads\n2. Inside the TOR browser brower navigate to : 3o4kqe6khkfgx25g.onion/00000000-00000000-00000000-00000000 \n3. Follow the instructions to buy 'Serpent Decrypter'\n================ PLEASE READ THIS MESSAGE CAREFULLY ================" + ], + "encryption": "AES-256 + RSA-2048", + "extensions": [ + ".crypt" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Serpent 2017 Ransomware", + "uuid": "3b472aac-085b-409e-89f1-e8c766f7c401" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html", + "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-tAp9wE6CJxM/WJrvOOyIfRI/AAAAAAAADts/iMfaiDRyRcQuPXgtQV--qt7q8ZI3ZV0tQCLcB/s1600/note1%252B.jpg", + "README.HTML" + ], + "encryption": "ROT-23", + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Erebus 2017 Ransomware", + "uuid": "c21e637c-6611-47e1-a191-571409b6669a" + }, + { + "meta": { + "synonyms": [ + "Ransomuhahawhere" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/ransomuhahawhere.html" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-7KRVg6kt418/WJnwxDOV5NI/AAAAAAAADrk/or9DbPMl-7ksN7OwIAH6BMJwE5fGc_BfgCLcB/s1600/note_2.png" + ], + "extensions": [ + ".locked" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Cyber Drill Exercise ", + "uuid": "dcb183d1-11b5-464c-893a-21e132cb7b51" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/cancer-ransomware.html", + "https://www.bleepingcomputer.com/news/security/watch-your-computer-go-bonkers-with-cancer-trollware/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-ozPs6mwKfEI/WJjTwbrOx9I/AAAAAAAADqE/4gewG-f_dLQQDevajtn8CnX69lvWgCZQACLcB/s1600/wallp.jpg" + ], + "extensions": [ + ".cancer" + ], + "date": "February 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.", + "value": "Cancer Ransomware FAKE", + "uuid": "ef747d7f-894e-4c0c-ac0f-3fa1ef3ef17f" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/02/updatehost-ransomware.html", + "https://www.bleepingcomputer.com/startups/Windows_Update_Host-16362.html" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-BOmKmroIvEI/WJn-LAUmyyI/AAAAAAAADsI/W987TEaOnEAd45AOxO1cFyFvxEx_RfehgCLcB/s1600/note_2.png" + ], + "encryption": "AES", + "extensions": [ + ".locked" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Microsoft Copyright 2017 and requests ransom in bitcoins.", + "value": "UpdateHost Ransomware", + "uuid": "ed5b30b0-2949-410a-bc4c-3d90de93d033" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/nemesis-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-dLSbqOiIbLU/WHPh-akYinI/AAAAAAAADC0/6nFQClDBJ5M7ZhrjkhnxfkdboOh7SlE-ACLcB/s1600/v5YZMxt.jpg" + ], + "encryption": "AES", + "extensions": [ + ".v8dp" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 10 bitcoins.", + "value": "Nemesis Ransomware", + "uuid": "b5942085-c9f2-4d1a-aadf-1061ad38fb1d" + }, + { + "meta": { + "synonyms": [ + "File0Locked KZ Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/evil-ransomware.html", + "http://www.enigmasoftware.com/evilransomware-removal/", + "http://usproins.com/evil-ransomware-is-lurking/", + "https://twitter.com/jiriatvirlab/status/818443491713884161", + "https://twitter.com/PolarToffee/status/826508611878793219" + ], + "ransomnotes": [ + "HOW_TO_DECRYPT_YOUR_FILES.TXT", + "HOW_TO_DECRYPT_YOUR_FILES.HTML", + "https://3.bp.blogspot.com/-0NFy_yDghZ0/WHO_ClbPdMI/AAAAAAAADCQ/RX2cgYg3z381gro6UUQtAED7JgXHbvGLgCLcB/s1600/note-txt_2.png", + "https://4.bp.blogspot.com/-xxJ9xdRuWis/WHO_FL-hWcI/AAAAAAAADCU/VqI02AhzopQY1WKk-k6QYSdHFWFzg1NcACLcB/s1600/note_2.png" + ], + "encryption": "AES", + "extensions": [ + ".file0locked", + ".evillock" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript", + "value": "Evil Ransomware", + "uuid": "57933295-4a0e-4f6a-b06b-36807ff150cd" + }, + { + "meta": { + "synonyms": [ + "Ocelot Locker Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/ocelot-ransomware.html", + "https://twitter.com/malwrhunterteam/status/817648547231371264" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-3iMAtqvAmts/WHEyA_dW5OI/AAAAAAAADAY/tE5FtaVMJcc3aQQvWI4XOdjtvbXufFgywCLcB/s1600/lock1.jpg", + "https://3.bp.blogspot.com/-DMxJm5GT0VY/WHEyEOi_vZI/AAAAAAAADAc/6Zi3IBuBz1I7jdQHcSrzhUGagGCUfs6iACLcB/s1600/lock2.jpg" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.", + "value": "Ocelot Ransomware (FAKE RANSOMWARE)", + "uuid": "054b9fbd-72fa-464f-a683-a69ab3936d69" + }, + { + "meta": { + "synonyms": [ + "Blablabla Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/skyname-ransomware.html", + "https://twitter.com/malwrhunterteam/status/817079028725190656" + ], + "ransomnotes": [ + "INFOK1.txt", + "https://1.bp.blogspot.com/-i4ksJq-UzX8/WHFFXQL5wAI/AAAAAAAADA8/awfsqj1lr7IMBAPtE0tB44PNf1N6zkGDwCLcB/s1600/note_2.png", + "https://1.bp.blogspot.com/-OlKgHvtAUHg/WHFDCx4thaI/AAAAAAAADAw/wzBXV17Xh-saaFGlrxw3CDNhGSTaVe2dQCLcB/s1600/lock1.jpg" + ], + "encryption": "AES", + "date": "January 2017" + }, + "description": "It\u2019s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", + "value": "SkyName Ransomware", + "uuid": "00b8ff33-1504-49a4-a025-b761738eed68" + }, + { + "meta": { + "synonyms": [ + "Depsex Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/mafiaware.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/", + "https://twitter.com/BleepinComputer/status/817069320937345024" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-BclLp7x1sUM/WG6acqtDBbI/AAAAAAAAC_I/ToVEXx-G2DcKD4d7TZ0RkVqA1wRicxnZQCLcB/s1600/note_2.png", + "READ_ME.txt" + ], + "encryption": "AES", + "extensions": [ + ".locked-by-mafia" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear", + "value": "MafiaWare Ransomware", + "uuid": "e5a60429-ae5d-46f4-a731-da9e2fcf8b92" + }, + { + "meta": { + "synonyms": [ + "Purge Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/globe3-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/", + "https://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/", + "https://decryptors.blogspot.co.il/2017/01/globe3-decrypter.html", + "https://decrypter.emsisoft.com/globe3" + ], + "ransomnotes": [ + "How To Recover Encrypted Files.hta", + "https://2.bp.blogspot.com/-Wk1_IdcEHbk/WG6FVnoaKlI/AAAAAAAAC-4/WeHzJAUJ0goxxuAoGUUebSgzGHrnD6LQQCLcB/s1600/Globe-ransom-note_2.png.png", + "https://3.bp.blogspot.com/-lYkopoRH0wQ/WHOt1KhhzhI/AAAAAAAADCA/nPdhHK3wEucAK1GHodeh5w3HcpdugzSHwCLcB/s1600/globe3-9-1-17.png" + ], + "encryption": "AES-256+RSA or RC4", + "extensions": [ + ".badnews", + ".globe", + ".[random].bit", + ".[random].encrypted", + ".[random].raid10", + ".[random].globe", + ".[mia.kokers@aol.com]", + ".unlockv@india.com", + ".rescuers@india.com.3392cYAn548QZeUf.lock", + ".locked", + ".decrypt2017", + ".hnumkhotep" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.", + "value": "Globe3 Ransomware", + "uuid": "fe16edbe-3050-4276-bac3-c7ff5fd4174a" + }, + { + "meta": { + "synonyms": [ + "FireCrypt Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/bleedgreen-ransomware.html", + "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-np8abNpYeoU/WG1KX4_H0yI/AAAAAAAAC98/gxRJeDb01So5yTboXYP7sZWurJFBbWziACLcB/s1600/note-html.jpg" + ], + "encryption": "AES-256", + "extensions": [ + ".firecrypt" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg", + "value": "BleedGreen Ransomware", + "uuid": "fbb3fbf9-50d7-4fe1-955a-fd4defa0cb08" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/btcamant.html" + ], + "ransomnotes": [ + "BTC_DECRYPT_FILES.txt", + "BTC_DECRYPT_FILES.html", + "https://2.bp.blogspot.com/-uiHluU553MU/WGzoFpEWkfI/AAAAAAAAC9o/M34ndwHUsoEfZiLJv9j4PCgBImS8oyYaACLcB/s1600/note_2.png" + ], + "encryption": "AES", + "extensions": [ + ".BTC" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Original name is Mission 1996 or Mission: \u201cImpossible\u201d (1996) (like the movie)", + "value": "BTCamant Ransomware", + "uuid": "a5826bd3-b457-4aa9-a2e7-f0044ad9992f" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/x3m-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-hMAakgAORvg/WG_i-lk09II/AAAAAAAADAI/Uq2iCHC5ngYzeVcuxQF0mcbrLqyOGcA_wCLcB/s1600/note.png" + ], + "encryption": "AES", + "extensions": [ + "_x3m", + "_r9oj", + "_locked" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. It is also possible to break in using RDP Windows with the help of Pass-the-Hash system, PuTTY, mRemoteNG, TightVNC, Chrome Remote Desktop, modified version of TeamViewer, AnyDesk, AmmyyAdmin, LiteManager, Radmin and others. Ransom is 700$ in Bitcoins.", + "value": "X3M Ransomware", + "uuid": "192bc3e8-ace8-4229-aa88-37034a11ef5b" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/gog-ransomware.html", + "https://twitter.com/BleepinComputer/status/816112218815266816" + ], + "ransomnotes": [ + "DecryptFile.txt", + "https://4.bp.blogspot.com/-cAnilnXjK7k/WG_OHhC_UdI/AAAAAAAAC_4/sdbzTx9hP4sryM7xE59ONdk7Zr8D_m6XwCLcB/s1600/note-txt_2.png", + "https://1.bp.blogspot.com/-TDK91s7FmNM/WGpcwq5HmwI/AAAAAAAAC8Q/i0Q66vE7m-0kmrKPXWdwnYQg6Eaw2KSDwCLcB/s1600/note-pay_2.png" + ], + "encryption": "AES", + "extensions": [ + ".LOCKED" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "GOG Ransomware", + "uuid": "c3ef2acd-cc5d-4240-80e7-47e85b46db96" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/edgelocker-ransomware.html", + "https://twitter.com/BleepinComputer/status/815392891338194945" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-dNBgohC1UYg/WGnXhem546I/AAAAAAAAC7w/Wv0Jy4173xsBJDZPLMxe6lXBgI5BkY4BgCLcB/s1600/note-lock.jpg" + ], + "encryption": "AES", + "extensions": [ + ".edgel" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.", + "value": "EdgeLocker", + "uuid": "ecfa106d-0aff-4f7e-a259-f00eb14fc245" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/red-alert-ransomware.html", + "https://twitter.com/JaromirHorejsi/status/815557601312329728" + ], + "ransomnotes": [ + "MESSAGE.txt", + "https://1.bp.blogspot.com/-tDS74fDwB1Q/WGk2D5DcUYI/AAAAAAAAC6s/vahju5JD9B4chwnNDUvDPp4ejZOxnj_awCLcB/s1600/note-wallp.jpg" + ], + "encryption": "AES", + "extensions": [ + ".locked" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation. Based on HiddenTear", + "value": "Red Alert", + "uuid": "f762860a-5e7a-43bf-bef4-06bd27e0b023" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/first-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-T0PhVuoFSyA/WGk5mYkRFAI/AAAAAAAAC64/j14Pt84YUmQMNa_5LSEn6fZ5CoYqz60swCLcB/s1600/note-lock.jpg" + ], + "encryption": "AES", + "extensions": [ + ".locked" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "First", + "uuid": "ed26fcf3-47fb-45cc-b5f9-de18f6491934" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html", + "https://twitter.com/JakubKroustek/status/825790584971472902" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-XZNMg5P75r4/WI985j-EKHI/AAAAAAAADcw/jGdtXoq2pnwjlAbFAJia4UsXuJrV5AU3gCLcB/s1600/note.jpg", + "Xhelp.jpg" + ], + "encryption": "Twofish", + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Written on Delphi. The user requests the victim to get in touch with him through ICQ to get the ransom and return the files.", + "value": "XCrypt Ransomware", + "uuid": "fd5bb71f-80dc-4a6d-ba8e-ed74999700d3" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/7zipper-ransomware.html", + "https://1.bp.blogspot.com/-ClM0LCPjQuk/WI-BgHTpdNI/AAAAAAAADc8/JyEQ8-pcJmsXIntuP-MMdE-pohVncxTXQCLcB/s1600/7-zip-logo.png" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-BR0DvtIft7g/WI95IF7IdUI/AAAAAAAADck/gzWAMbpFvaYicHFuMzvlM3YGJpgulMQBQCLcB/s1600/note_2.png" + ], + "encryption": "Twofish", + "extensions": [ + ".7zipper" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "7Zipper Ransomware", + "uuid": "d8ec9e54-a4a4-451e-9f29-e7503174c16e" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/zyka-ransomware.html", + "https://www.pcrisk.com/removal-guides/10899-zyka-ransomware", + "https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip", + "https://twitter.com/GrujaRS/status/826153382557712385" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-SF4RsOANlI0/WJBQd4SJv6I/AAAAAAAADdY/hI-Ncw9FoFMi5jvljUftpzTgdykOfR3vgCLcB/s1600/lock-wallp_2.png.png" + ], + "encryption": "AES", + "extensions": [ + ".lock", + ".locked" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 170$ or EUR in Bitcoins.", + "value": "Zyka Ransomware", + "uuid": "7b7c8124-c679-4201-b5a5-5e66e6d52b70" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/sureransom-ransomware.html", + "http://www.forbes.com/sites/leemathews/2017/01/27/fake-ransomware-is-tricking-people-into-paying/#777faed0381c" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-zShnOIf3R_E/WJBfhC4CdSI/AAAAAAAADdo/6l4hwSOmI0Evj4W0Esj1S_uNOy5Yq6X0QCLcB/s1600/note1-2-3.gif" + ], + "encryption": "AES-256 (fake)", + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to strike worldwide. This ransomware does not really encrypt your files. Ransom requested is \u00a350 using credit card.", + "value": "SureRansom Ransomeware (Fake)", + "uuid": "a9365b55-acd8-4b70-adac-c86d121b80b3" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2017/01/netflix-ransomware.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/", + "https://www.bleepingcomputer.com/news/security/rogue-netflix-app-spreads-netix-ransomware-that-targets-windows-7-and-10-users/", + "http://www.darkreading.com/attacks-breaches/netflix-scam-spreads-ransomware/d/d-id/1328012", + "https://4.bp.blogspot.com/-bQQ4DTIClvA/WJCIh6Uq2nI/AAAAAAAADfY/hB5HcjuGgh8rRJKeLHo__IRz3Ezth22-wCEw/s1600/form1.jpg", + "https://4.bp.blogspot.com/-ZnWdPDprJOg/WJCPeCtP4HI/AAAAAAAADfw/kR0ifI1naSwTAwSuOPiw8ZCPr0tSIz1CgCLcB/s1600/netflix-akk.png" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-vODt2aB9Hck/WJCFc3g5eCI/AAAAAAAADe8/OrEVkqUHMU4swRWedoZuBu50AWoKR1FGACLcB/s1600/netflix-note.jpg", + "https://4.bp.blogspot.com/-Cw4e1drBKl4/WJCHmgp1vtI/AAAAAAAADfI/QqFxUsuad" + ], + "encryption": "AES-256", + "extensions": [ + ".se" + ], + "date": "January 2017" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.", + "value": "Netflix Ransomware", + "uuid": "1317351f-ec8f-4c76-afab-334e1384d3d3" + }, + { + "meta": { + "synonyms": [ + "Merry X-Mas", + "MRCR" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/mrcr1-ransomware.html", + "https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/", + "http://www.zdnet.com/article/not-such-a-merry-christmas-the-ransomware-that-also-steals-user-data/", + "https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/", + "https://decrypter.emsisoft.com/mrcr" + ], + "ransomnotes": [ + "YOUR_FILES_ARE_DEAD.HTA", + "MERRY_I_LOVE_YOU_BRUCE.HTA", + "https://2.bp.blogspot.com/-3F3QAZnDxsI/WGpvD4wZ2OI/AAAAAAAAC80/-2L6dIPqsgs8hZHOX0T6AFf5LwPwfZ-rwCLcB/s1600/note.png", + "https://4.bp.blogspot.com/-_w8peyLMcww/WHNJ1Gb0qeI/AAAAAAAADBw/EVbR-gKipYoNujo-YF6VavafsUfWDANEQCLcB/s1600/8-1-17.png" + ], + "encryption": "AES-256", + "extensions": [ + ".MRCR1", + ".PEGS1", + ".RARE1", + ".RMCM1", + ".MERRY" + ], + "date": " December 2016" + }, + "description": "It\u2019s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that\u2019s coming from Federal Trade Commission from USA, with an attached file called \u201ccomplaint.pdf\u201d. Written in Delphi by hacker MicrRP.", + "value": "Merry Christmas", + "uuid": "72cbed4e-b26a-46a1-82be-3d0154fdd2e5" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/seoirse-ransomware.html" + ], + "encryption": "AES", + "extensions": [ + ".seoire" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Seoirse is how in Ireland people say the name George. Ransom is 0.5 Bitcoins.", + "value": "Seoirse Ransomware", + "uuid": "bdf807c2-74ec-4802-9907-a89b1d910296" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/killdisk-ransomware.html", + "https://www.bleepingcomputer.com/news/security/killdisk-ransomware-now-targets-linux-prevents-boot-up-has-faulty-encryption/", + "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/", + "http://www.zdnet.com/article/247000-killdisk-ransomware-demands-a-fortune-forgets-to-unlock-files/", + "http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware", + "http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/", + "https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-8MqANWraAgE/WGT7mj-XirI/AAAAAAAAC3g/H_f1hTxa7Sc_DEtllBe-vYaAfY-YqMelgCLcB/s1600/wallp.png" + ], + "encryption": "AES-256+RSA", + "date": "November/December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.", + "value": "KillDisk Ransomware", + "uuid": "8e067af6-d1f7-478a-8a8e-5154d2685bd1" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html", + "https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-9vg_tRPq8rQ/WGOjf4ULuGI/AAAAAAAACzw/d16uRmEOotsCbRM4hwvzQ6bB8xAVNJ7ogCLcB/s1600/DeriaLock.gif", + "unlock-everybody.txt" + ], + "encryption": "AES", + "extensions": [ + ".deria" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Maker is arizonacode and ransom amount is 20-30$. If the victim decides to pay the ransom, he will have to copy HWID and then speak to the hacker on Skype and forward him the payment.", + "value": "DeriaLock Ransomware", + "uuid": "c0d7acd4-5d64-4571-9b07-bd4bd0d27ee3" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html", + "https://twitter.com/demonslay335/status/813064189719805952" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-hApL-ObdWsk/WGAYUyCzPcI/AAAAAAAACyg/NuL26zNgRGcLnnF2BwgOEn3AYMgVu3gQACLcB/s1600/More-note.png", + "More.html" + ], + "encryption": "AES", + "extensions": [ + ".bript" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "BadEncript Ransomware", + "uuid": "43bfbb2a-9416-44da-81ef-03d6d3a3923f" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/adamlocker-ransomware.html" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-9IgXt6L0hLY/WGARdzJgfvI/AAAAAAAACyQ/1bfnX_We65AirDcAFpiG49NPuBMfGH9wwCLcB/s1600/note-adam.jpg" + ], + "encryption": "AES", + "extensions": [ + ".adam" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the creator is puff69.", + "value": "AdamLocker Ransomware", + "uuid": "5e7d10b7-18ec-47f7-8f13-6fd03d10a8bc" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/alphabet-ransomware.html", + "https://twitter.com/PolarToffee/status/812331918633172992" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-bFPI3O1BI3s/WGPpvnDvNNI/AAAAAAAAC10/mLUiFOCWnEkjbV91PmUGnc3qsFMv9um8QCLcB/s1600/wallp.jpg" + ], + "encryption": "AES", + "extensions": [ + ".alphabet" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.", + "value": "Alphabet Ransomware", + "uuid": "dd356ed3-42b8-4587-ae53-95f933517612" + }, + { + "meta": { + "synonyms": [ + "KokoLocker Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/kokokrypt-ransomware.html", + "http://removevirusadware.com/tips-for-removeing-kokokrypt-ransomware/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-NiQ6rSIprB8/WF-uxTMq6hI/AAAAAAAACyA/tA6qO3aJdGc0Dn_I-IOZOM3IwN5rgq9sACLcB/s1600/note-koko.jpg" + ], + "encryption": "AES", + "extensions": [ + ".kokolocker" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru", + "value": "KoKoKrypt Ransomware", + "uuid": "d672fe4f-4561-488e-bca6-20385b53d77f" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/l33taf-locker-ransomware.html" + ], + "ransomnotes": [ + "YOU_HAVE_BEEN_HACKED.txt", + "https://2.bp.blogspot.com/-yncl7-Jy198/WGDjdgNKXjI/AAAAAAAACzA/bfkDgwWEGKggUG3E1tgPBAWDXwi-p-7AwCLcB/s1600/note_2.png" + ], + "encryption": "AES-256+RSA", + "extensions": [ + ".l33tAF" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.5 bitcoins. The name of the creator is staffttt, he also created Fake CryptoLocker", + "value": "L33TAF Locker Ransomware", + "uuid": "791a6720-d589-4cf7-b164-08b35b453ac7" + }, + { + "meta": { + "synonyms": [ + "PClock SysGop Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/pclock4-sysgop-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-T9Mt0pE7kwY/WF7NKAPfv1I/AAAAAAAACxw/gOjxeSR0x7EurKQTI2p6Ym70ViYuYdsvQCLcB/s1600/note_2.png" + ], + "encryption": "AES-256+RSA", + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam (for example: \u201cyou have a criminal case against you\u201d), fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "PClock4 Ransomware", + "uuid": "b78be3f4-e39b-41cc-adc0-5824f246959b" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/guster-ransomware.html", + "https://twitter.com/BleepinComputer/status/812131324979007492" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-0-kDVCM-kuI/WGVH-d2trGI/AAAAAAAAC4A/4LlxFpwkhEk89QcJ5ZhO1i-T6dQ_RcVegCEw/s1600/guster-note-2.jpg" + ], + "encryption": "AES-256+RSA", + "extensions": [ + ".locked" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses VBS-script to send a voice message as the first few lines of the note.", + "value": "Guster Ransomware", + "uuid": "ffa7ac2f-b216-4fac-80be-e859a0e0251f" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/roga-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-ZIWywQMf2mY/WGJD-rqLZYI/AAAAAAAACzQ/p5PWlpWyHjcVHKq74DOsE7yS-ornW48_QCLcB/s1600/note.jpg" + ], + "encryption": "AES", + "extensions": [ + ".madebyadam" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker requests the ransom in Play Store cards. https://3.bp.blogspot.com/-ClUef8T55f4/WGKb8U4GeaI/AAAAAAAACzg/UFD0X2sORHYTVRNBSoqd5q7TBrOblQHmgCLcB/s1600/site.png", + "value": "Roga", + "uuid": "cd1eb48e-070b-418e-8d83-4644a388f8ae" + }, + { + "meta": { + "synonyms": [ + "Fake CryptoLocker" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/cryptolocker3-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-LDSJ7rws1WI/WGDR-oDSshI/AAAAAAAACyw/_Kn0mnjpm2YN5tS9YldEnca-zOLJpXjcACLcB/s1600/crypto1-2.gif" + ], + "encryption": "AES-128+RSA", + "extensions": [ + ".cryptolocker" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Creator is staffttt and the ransom is 0.5 botcoins.", + "value": "CryptoLocker3 Ransomware", + "uuid": "4094b021-6654-49d5-9b80-a3666a1c1e44" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/proposalcrypt-ransomware.html", + "http://www.archersecuritygroup.com/what-is-ransomware/", + "https://twitter.com/demonslay335/status/812002960083394560", + "https://twitter.com/malwrhunterteam/status/811613888705859586" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-TkMikT4PA3o/WFrb4it2u9I/AAAAAAAACww/_zZgu9EHBj8Ibar8i5ekwaowGBD8EoOygCLcB/s1600/note.jpg" + ], + "encryption": "AES", + "extensions": [ + ".crypted" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 1.0 bitcoins.", + "value": "ProposalCrypt Ransomware", + "uuid": "4cf270e7-e4df-49d5-979b-c13d8ce117cc" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/manifestus-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-23rd-2016-cryptxxx-koolova-cerber-and-more/", + "https://twitter.com/struppigel/status/811587154983981056" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-85wiBKXIqro/WFrFOaNeSsI/AAAAAAAACwA/UyrPc2bKQCcznmtLTFkEfc6lEvhseyRYACLcB/s1600/lock1.jpg" + ], + "encryption": "AES", + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker demands 0.2 bitcoins. The ransomware poses as a Window update.", + "value": "Manifestus Ransomware ", + "uuid": "e62ba8f5-e7ce-44ab-ac33-713ace192de3" + }, + { + "meta": { + "synonyms": [ + "IDRANSOMv3", + "Manifestus" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/enkripsipc-ransomware.html", + "https://twitter.com/demonslay335/status/811343914712100872", + "https://twitter.com/BleepinComputer/status/811264254481494016", + "https://twitter.com/struppigel/status/811587154983981056" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-owEtII_eezA/WFmOp0ccjaI/AAAAAAAACvk/gjYcSeflS4AChm5cYO5c3EV4aSmzr14UwCLcB/s1600/enc100.gif" + ], + "encryption": "AES", + "extensions": [ + ".fucked" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the hacker is humanpuff69 and he requests 0.5 bitcoins. The encryption password is based on the computer name", + "value": "EnkripsiPC Ransomware", + "uuid": "52caade6-ba7b-474e-b173-63f4332aa808" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/braincrypt-ransomware.html" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-KrKO1vYs-1w/WFlw6bOfI_I/AAAAAAAACug/42w1VSl2GIoxRuA2SPKJr6xYp3c4OBnJQCLcB/s1600/note_2.png", + "https://3.bp.blogspot.com/-8bxTSAADM7M/WFmBEu-eUXI/AAAAAAAACvU/xaQBufV5a-4GWEJhXj2VVLqXnTjQJYNrwCLcB/s1600/note-brain2.jpg" + ], + "encryption": "AES", + "extensions": [ + ".braincrypt" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. So far the victims are from Belarus and Germany.", + "value": "BrainCrypt Ransomware", + "uuid": "ade6ec5e-e082-43cb-9b82-ff8c0f4d7e56" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html", + "https://twitter.com/struppigel/status/810766686005719040" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-R-lKbH_tLvs/WGPRa-hCtqI/AAAAAAAAC1Y/zgKYZmys_jciaYhtTUsVLen5IHX8_LyiACLcB/s1600/note_2.png", + "RESTORE_YOUR_FILES.txt" + ], + "encryption": "AES", + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.2 bitcoins.", + "value": "MSN CryptoLocker Ransomware", + "uuid": "7de27419-9874-4c3f-b75f-429a507ed7c5" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/cryptoblock-ransomware.html", + "https://twitter.com/drProct0r/status/810500976415281154" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-4Y7GZEsWh7A/WFfnmQFF7nI/AAAAAAAACsQ/j3rXZmWrDxMM6xhV1s4YVl_WLDe28cpAwCLcB/s1600/001.jpg" + ], + "encryption": "RSA-2048", + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is in the amount is 0.3 bitcoins. The ransomware is disguises themselves as Adobe Systems, Incorporated. RaaS", + "value": "CryptoBlock Ransomware ", + "uuid": "7b0df78e-8f00-468f-a6ef-3e1bda2a344c" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/aes-ni-ransomware.html" + ], + "ransomnotes": [ + "!!! READ THIS -IMPORTANT !!!.txt", + "https://4.bp.blogspot.com/-GdF-kk1j9-8/WFl6NVm3PAI/AAAAAAAACvE/guFIi_FUpgIQNzX-usJ8CpofX45eXPvkQCLcB/s1600/note_2.png" + ], + "encryption": "AES-256 (ECB) + RSA-2048", + "extensions": [ + ".aes256" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "AES-NI Ransomware ", + "uuid": "69c9b45f-f226-485f-9033-fcb796c315cf" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/koolova-ransomware.html", + "https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-free-if-you-read-two-articles-about-ransomware/" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-kz7PePfAiLI/WGTpY3us5LI/AAAAAAAAC3A/wu1rkx-BWlMzglJXXmCxeuYzbZKN5FP4gCLcB/s1600/koolova-v2.png" + ], + "encryption": "AES-256", + "extensions": [ + ".encrypted" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker of this ransomware tends to make lots of spelling errors in his requests. With Italian text that only targets the Test folder on the user's desktop", + "value": "Koolova Ransomware", + "uuid": "ff6b8fc4-cfe0-45c1-9814-3261e39b4c9a" + }, + { + "meta": { + "synonyms": [ + "Globe Imposter", + "GlobeImposter" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/", + "https://twitter.com/fwosar/status/812421183245287424", + "https://decrypter.emsisoft.com/globeimposter", + "https://twitter.com/malwrhunterteam/status/809795402421641216" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-F8oAU82KnQ4/WFWgxjZz2vI/AAAAAAAACrI/J76wm21b5K4F9sjLF1VcEGoif3cS-Y-bwCLcB/s1600/note.jpg", + "HOW_OPEN_FILES.hta" + ], + "encryption": "AES", + "extensions": [ + ".crypt" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026 The ransom is 1bitcoin.", + "value": "Fake Globe Ransomware", + "uuid": "e03873ef-9e3d-4d07-85d8-e22a55f60c19" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/v8locker-ransomware.html" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-Acmbpw6fEaQ/WFUFKU9V9ZI/AAAAAAAACqc/47AceoWZzOwP9qO8uenjNVOVXeFJf7DywCLcB/s1600/note_2.png" + ], + "encryption": "RSA", + "extensions": [ + ".v8" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026", + "value": "V8Locker Ransomware", + "uuid": "45862a62-4cb3-4101-84db-8e338d17e283" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/cryptorium-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-I0fsQu2YXMI/WFLb9LPdkFI/AAAAAAAACoY/xqRhgO1o98oruVDMC6rO4RxCk5MFDSTYgCLcB/s1600/lock.jpg" + ], + "encryption": "RSA", + "extensions": [ + ".ENC" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc., however your files are not really encrypted, only the names are changed.", + "value": "Cryptorium (Fake Ransomware)", + "uuid": "96bd63e5-99bd-490c-a23a-e0092337f6e6" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/antihacker2017-ransomware.html" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-k7iDPgj17Zo/WFKEfMvR4wI/AAAAAAAACn4/8irB4Tf1x_MjfTmWaAjuae6mFJbva6GcwCLcB/s1600/note.jpg" + ], + "encryption": "XOR", + "extensions": [ + ".antihacker2017" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to Russian speaking users, there fore is able to infect mosty the old USSR countries. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc \u2026 The hacker goes by the nickname Antihacker and requests the victim to send him an email for the decryption. He does not request any money only a warning about looking at porn (gay, incest and rape porn to be specific).", + "value": "Antihacker2017 Ransomware", + "uuid": "efd64e86-611a-4e10-91c7-e741cf0c58d9" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/cia-special-agent-767-ransomware.html", + "https://www.bleepingcomputer.com/virus-removal/remove-cia-special-agent-767-screen-locker", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-16th-2016-samas-no-more-ransom-screen-lockers-and-more/", + "https://guides.yoosecurity.com/cia-special-agent-767-virus-locks-your-pc-screen-how-to-unlock/" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-6I7jtsp5Wi4/WFLqnfUvg5I/AAAAAAAACow/BCOv7etYxxwpIERR1Qs5fmJ2wKBx3sqmACLcB/s1600/screen-locker.png" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect users all over the world. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026 Your files are not really encrypted and nothing actually happens, however the hacker does ask the victim to pay a sum of 100$, after 5 days the sum goes up to 250$ and thereafter to 500$. After the payment is received, the victim gets the following message informing him that he has been fooled and he simply needed to delete the note. https://4.bp.blogspot.com/-T8iSbbGOz84/WFGZEbuRfCI/AAAAAAAACm0/SO8Srwx2UIM3FPZcZl7W76oSDCsnq2vfgCPcB/s1600/code2.jpg", + "value": "CIA Special Agent 767 Ransomware (FAKE!!!)", + "uuid": "e479e32e-c884-4ea0-97d3-3c3356135719" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/loveserver-ransomware.html" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-LY1A0aeA_c0/WFEduvkiNQI/AAAAAAAACjk/B2-nFQoExscMVvZqvCaf9R4z_C6-rSdvACLcB/s1600/note2.png.png" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026 This hacker request your IP address in return for the decryption.", + "value": "LoveServer Ransomware ", + "uuid": "d1698a73-8be8-4c10-8114-8cfa1c399eb1" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/kraken-ransomware.html" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-E4brsgJRDHA/WFBU7wPaYLI/AAAAAAAACjU/sLEkzMiWp5wuc8hpFbylC7lLVMhftCLGgCLcB/s1600/111m.png", + "https://2.bp.blogspot.com/-b5caw8XAvIQ/WFBUuOto40I/AAAAAAAACjQ/_yzwIU17BHw4Ke4E3wM_XBI1XfnAvGSZQCLcB/s1600/005.png", + "_HELP_YOUR_FILES.html" + ], + "encryption": "AES", + "extensions": [ + ".kraken", + "[base64].kraken" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026 The hacker requests 2 bitcoins in return for the files.", + "value": "Kraken Ransomware", + "uuid": "51737c36-11a0-4c25-bd87-a990bd479aaf" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/antix-ransomware.html" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-6iMtvGe3T58/WE8Ftx7zcUI/AAAAAAAACiE/2ISTxSYzgKEgnfQ7FSUWo3BiCeVLHH_uwCLcB/s1600/note.jpg" + ], + "encryption": "AES", + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026 The ransom is 0.25 bitcoins and the nickname of the hacker is FRC 2016.", + "value": "Antix Ransomware", + "uuid": "8a7e0615-b9bd-41ab-89f1-62d041350e99" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html", + "https://twitter.com/BleepinComputer/status/808316635094380544" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-MWEyG49z2Qk/WE78wLqCXPI/AAAAAAAAChw/SIlQSe_o_wMars2egfZ7VqKfWuan6ThwQCLcB/s1600/note1.jpg", + "!!!!!ATEN\u00c7\u00c3O!!!!!.html" + ], + "encryption": "AES-256", + "extensions": [ + ".sexy" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026 The ransom is R$950 which is due in 5 days. (R$ is a Brazilian currency) Based off of Hidden-Tear", + "value": "PayDay Ransomware ", + "uuid": "70324b69-6076-4d00-884e-7f9d5537a65a" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/slimhem-ransomware.html" + ], + "encryption": "AES-256", + "extensions": [ + ".encrypted" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is NOT spread using email spam, fake updates, attachments and so on. It simply places a decrypt file on your computer.", + "value": "Slimhem Ransomware", + "uuid": "76b14980-e53c-4209-925e-3ab024210734" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/m4n1f3sto-ransomware.html" + ], + "ransomnotes": [ + "I want to play a game with you. Let me explain the rules. Your personal files are being deleted. Your photos, videos, documents, etc... But, don't worry! It will only happen if you don't comply. However I've already encrypted your personal files, so you cannot access therm. Every hour I select some of them to delete permanently, therefore I won't be able to access them, either. Are you familiar with the concept of exponential growth? Let me help you out. It starts out slowly then increases rapidly. During the first 24 hour you will only lose a few files, the second day a few hundred, the third day a few thousand, and so on. If you turn off your computer or try to close me, when i start the next time you will het 1000 files deleted as punishment. Yes you will want me to start next time, since I am the only one that is capable to decrypt your personal data for you. Now, let's start and enjoy our little game together! Send 0.3 bitcoins to this adress to unlock your Pc with your email adress Your can purchase bitcoins from localbitcoins", + "https://3.bp.blogspot.com/-9MsC3A3tuUA/WFGZM45Pw5I/AAAAAAAACms/NbDFma30D9MpK2Zc0O6NvDizU8vqUWWlwCLcB/s1600/M4N1F3STO.jpg" + ], + "encryption": "AES-256", + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026 FILES DON\u2019T REALLY GET DELETED NOR DO THEY GET ENCRYPTED!!!!!!!", + "value": "M4N1F3STO Ransomware (FAKE!!!!!)", + "uuid": "94a3be6b-3a83-40fb-85b2-555239260235" + }, + { + "meta": { + "synonyms": [ + "DaleLocker Ransomware" + ], + "encryption": "AES+RSA-512", + "extensions": [ + ".DALE" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026 CHIP > DALE", + "value": "Dale Ransomware", + "uuid": "abe6cbe4-9031-46da-9e1c-89d9babe6449" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/ultralocker-ransomware.html", + "https://twitter.com/struppigel/status/807161652663742465" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-DOjKnuzCMo8/WE1Xd8yksiI/AAAAAAAACfo/d93v2xn857gQDg4o5Rd4oZpP3q-Ipv9xgCLcB/s1600/UltraLocker.png" + ], + "encryption": "AES-256", + "extensions": [ + ".locked (added before the ending, not to the ending, for example: file.locked.doc" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026 Based on the idiotic open-source ransomware called CryptoWire", + "value": "UltraLocker Ransomware", + "uuid": "3a66610b-5197-4af9-b662-d873afc81b2e" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/aeskeygenassist-ransomware.html", + "https://id-ransomware.blogspot.co.il/2016/09/dxxd-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/634258/aes-key-gen-assistprotonmailcom-help-support/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-6NIoKnSTwcs/WExcV900C_I/AAAAAAAACfI/_Hba3mOwk3UQ0T5rGercOglMsCTjVtCnQCLcB/s1600/note2.png" + ], + "encryption": "AES-256 and RSA-2048", + "extensions": [ + ".pre_alpha" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026", + "value": "AES_KEY_GEN_ASSIST Ransomware", + "uuid": "d755510f-d775-420c-83a0-b0fe9e483256" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/code-virus-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-Lyd1uRKG-94/WFJ3TbNqWfI/AAAAAAAACnc/4LoazYU0S1s1YRz3Xck3LN1vOm5RwIpugCLcB/s1600/note.jpg", + "https://4.bp.blogspot.com/-eBeh1lzEYsI/WFJ4l1oJ4fI/AAAAAAAACno/P5inceelNNk-zfkJGhE3XNamOGC8YmBwwCLcB/s1600/str123.gif" + ], + "encryption": "AES-256 and RSA-2048", + "extensions": [ + ".locky" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Code Virus Ransomware ", + "uuid": "a23d7c45-7200-4074-9acf-8789600fa145" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/flkr-ransomware.html" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-Fh2I6542zi4/WEpmphY0i1I/AAAAAAAACe4/FBP3J6UraBMkSMTWx2tm-FRYnmlYLtFWgCLcB/s1600/note2.png.png" + ], + "encryption": "Blowfish", + "extensions": [ + "_morf56@meta.ua_" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "FLKR Ransomware", + "uuid": "1cdc34ce-43b7-4df1-ae8f-ae0acbe5e4ad" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/popcorntime-ransomware.html", + "https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-WxtRn5yVcNw/WEmgAPgO4AI/AAAAAAAACeo/M7iS6L8pSOEr8EUDkCK_g6h0aMKQQXfGwCLcB/s1600/note2.png", + "https://3.bp.blogspot.com/-sLwR-6y2M-I/WEmVIdJuPMI/AAAAAAAACeY/gpQDT-2-d7kkrfTHgiEZCfxViHu7dNE7ACLcB/s1600/med.jpg", + "restore_your_files.html", + "restore_your_files.txt" + ], + "encryption": "AES-256", + "extensions": [ + ".kok", + ".filock" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. These hackers claim to be students from Syria. This ransomware poses as the popular torrent movie screener called PopCorn. These criminals give you the chance to retrieve your files \u201cfor free\u201d by spreading this virus to others. Like shown in the note bellow: https://www.bleepstatic.com/images/news/ransomware/p/Popcorn-time/refer-a-friend.png", + "value": "PopCorn Time Ransomware", + "uuid": "c1b3477b-cd7f-4726-8744-a2c44275dffd" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/hackedlocker-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-G-xrI4N08hs/WFJjQgB3ojI/AAAAAAAACnM/DEfy_skSg044UmbBfNodiQY4OaLkkQPOwCLcB/s1600/note-hacked.jpg" + ], + "encryption": "AES-256", + "extensions": [ + ".hacked" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026 NO POINT OF PAYING THE RANSOM\u2014THE HACKER DOES NOT GIVE A DECRYPT AFTERWARDS.", + "value": "HackedLocker Ransomware", + "uuid": "c2624d8e-da7b-4d94-b06f-363131ddb6ac" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/goldeneye-ransomware.html", + "https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/", + "https://www.bleepingcomputer.com/forums/t/634778/golden-eye-virus/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-qcJxWivTx1w/WEcEW14om5I/AAAAAAAACa4/xLAlsQGZjeg7Zlg3F2fQAcgQ_6b_cNQLACLcB/s1600/goldeneye-1.jpg", + "https://4.bp.blogspot.com/-avE8liOWdPY/WEcEbdTxx6I/AAAAAAAACa8/KOKgXzU1h2EJ0tTOKMdQzZ_JdWWNeFMdwCLcB/s1600/goldeneye-1-2.jpg" + ], + "encryption": "AES(CBC)", + "extensions": [ + "." + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026", + "value": "GoldenEye Ransomware", + "uuid": "ac7affb8-971d-4c05-84f0-172b61d007d7" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/sage-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/634978/sage-file-sample-extension-sage/", + "https://www.bleepingcomputer.com/forums/t/634747/sage-20-ransomware-sage-support-help-topic/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-GasUzax8cco/WEar0U0tPqI/AAAAAAAACZw/6V_1JFxLMH0UnmLa3-WZa_ML9JbxF0JYACEw/s1600/note-txt2.png" + ], + "encryption": "AES", + "extensions": [ + ".sage" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026", + "value": "Sage Ransomware", + "uuid": "3e5a475f-7467-49ab-917a-4d1f590ad9b4" + }, + { + "meta": { + "synonyms": [ + "VO_ Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/12/sq-vo-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-Lhq40sgYUpI/WEWpGkkWOKI/AAAAAAAACZQ/iOp9g9Ya0Fk9vZrNKwTEMVcEOzKFIwqgACLcB/s1600/english-2.png" + ], + "encryption": "AES and RSA-1024", + "extensions": [ + ".VO_" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026 This hacker requests 4 bitcoins for ransom.", + "value": "SQ_ Ransomware", + "uuid": "5024f328-2595-4dbd-9007-218147e55d5f" + }, + { + "meta": { + "synonyms": [ + "Malta Ransomware" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/", + "https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html", + "https://twitter.com/rommeljoven17/status/804251901529231360" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png", + "[5 numbers]-MATRIX-README.RTF" + ], + "encryption": "AES and RSA", + "extensions": [ + ".MATRIX" + ], + "date": "December 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc\u2026", + "value": "Matrix", + "uuid": "42ee85b9-45f8-47a3-9bab-b695ac271544" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/satan666-ransomware.html" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-anaLWyg_iJI/WFaxDs8KI3I/AAAAAAAACro/yGXh3AV-ZpAKmD4fpQbBkAyYXXnkqgR3ACLcB/s1600/note666_2.png" + ], + "encryption": "AES", + "extensions": [ + ".locked" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Satan666 Ransomware", + "uuid": "03d92e7b-95ae-4c5b-8b58-daa2fd98f7a1" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html", + "https://twitter.com/BleepinComputer/status/804810315456200704" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-D-j_9_LZen0/WEPq4G5w5FI/AAAAAAAACXs/GTnckI3CGYQxuDMPXBzpGXDtarPK8yJ5wCLcB/s1600/note_2.PNG", + "Important!.txt" + ], + "encryption": "AES-256", + "extensions": [ + ".R.i.P" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", + "value": "RIP (Phoenix) Ransomware", + "uuid": "5705df4a-42b0-4579-ad9f-8bfa42bae471" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/novalid-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/", + "https://twitter.com/struppigel/status/807169774098796544" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-BK_31ORE0ZY/WD284cEVoLI/AAAAAAAACWA/bU0n3MBMD8Mbgzv9bD6VLJb51Q_kr5AJgCLcB/s1600/note.jpg", + "RESTORE_CORUPTED_FILES.HTML" + ], + "encryption": "AES-256", + "extensions": [ + ".novalid" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on RemindMe", + "value": "Locked-In Ransomware or NoValid Ransomware", + "uuid": "777f0b78-e778-435f-b4d5-e40f0b7f54c3" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/chartwig-ransomware.html" + ], + "encryption": "AES", + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Chartwig Ransomware", + "uuid": "37fff5f8-8e66-43d3-a075-3619b6f2163d" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/renlocker-ransomware.html" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-281TI8xvMLo/WDw2Nl72OsI/AAAAAAAACTk/nT_rL0z-Exo93FzoOXnyaFgQ7wPe0r7IgCLcB/s1600/Crypter1.jpg" + ], + "encryption": "Rename > Ren + Locker", + "extensions": [ + ".crypter" + ], + "date": "November 2016" + }, + "description": "It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files don\u2019t actually get encrypted, their names get changed using this formula: [www-hash-part-]+[number]+[.crypter]", + "value": "RenLocker Ransomware (FAKE)", + "uuid": "957850f7-081a-4191-9e5e-cf9ff27584ac" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/thanksgiving-ransomware.html", + "https://id-ransomware.blogspot.co.il/2016/07/stampado-ransomware-1.html", + "https://twitter.com/BleepinComputer/status/801486420368093184" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-2dC_gQTed4o/WDxRSh_R-MI/AAAAAAAACT4/yWxzCcMqN_8GLjd8dOPf6Mw16mkbfALawCLcB/s1600/lblMain.png" + ], + "encryption": "AES", + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Thanksgiving Ransomware", + "uuid": "459ea908-e39e-4274-8866-362281e24911" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/cockblocker-ransomware.html", + "https://twitter.com/jiriatvirlab/status/801910919739674624" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/--45C2Cr8sXc/WDiWLTvW-ZI/AAAAAAAACSA/JnJNRr8Kti0YqSnfhPQBF2rsFf-au1g9ACLcB/s1600/Cockblocke.gif" + ], + "encryption": "RSA", + "extensions": [ + ".hannah" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "CockBlocker Ransomware", + "uuid": "3a40c5ae-b117-45cd-b674-a7750e3f3082" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/lomix-ransomware.html", + "https://twitter.com/siri_urz/status/801815087082274816" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-nXv88GxxOvQ/WE1gqeD3ViI/AAAAAAAACf4/wcVwQ9Pi_JEP2iWNHoBGmeXKJFsfwmwtwCLcB/s1600/Lomix.png" + ], + "encryption": "AES-256", + "extensions": [ + ".encrypted" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on the idiotic open-source ransomware called CryptoWire", + "value": "Lomix Ransomware", + "uuid": "e721b7c5-df07-4e26-b375-fc09a4911451" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html", + "https://decrypter.emsisoft.com/ozozalocker", + "https://twitter.com/malwrhunterteam/status/801503401867673603" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-r-vBnl-wLwo/WDg7fHph9BI/AAAAAAAACRc/VuMxWa1nUPIGHCzhCf2AyL_uc7Z9iB6MACLcB/s1600/note_2.PNG", + "HOW TO DECRYPT YOU FILES.txt" + ], + "encryption": "AES", + "extensions": [ + ".locked", + ".Locked" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. https://3.bp.blogspot.com/--jubfYRaRmw/WDaOyZXkAaI/AAAAAAAACQE/E63a4FnaOfACZ07s1xUiv_haxy8cp5YCACLcB/s1600/ozoza2.png", + "value": "OzozaLocker Ransomware", + "uuid": "d20b0d12-1a56-4339-b02b-eb3803dc3e6e" + }, + { + "meta": { + "synonyms": [ + "m0on Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/crypute-ransomware-m0on.html", + "https://www.bleepingcomputer.com/virus-removal/threat/ransomware/" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-8-8X7Nd1MYs/WDSZN6NIT1I/AAAAAAAACNg/ltc7ppfZZL0vWn8BV3Mk9BVrdmJbcEnpgCLcB/s1600/222.jpg" + ], + "encryption": "AES", + "extensions": [ + ".mo0n" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Crypute Ransomware", + "uuid": "5539c8e7-2058-4757-b9e3-71ff7d41db31" + }, + { + "meta": { + "synonyms": [ + "Fake Maktub Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/nmoreira-ransomware.html", + "https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-_i9AjhlvjB8/WDVuLKBnmlI/AAAAAAAACOA/xISXMTBLMbEH4PBS35DQ416woPpkuiVvQCLcB/s1600/note-2.PNG", + "https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG" + ], + "encryption": "AES-256 + RSA", + "extensions": [ + ".maktub" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "NMoreira Ransomware", + "uuid": "9490641f-6a51-419c-b3dc-c6fa2bab4ab3" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/vindowslocker-ransomware.html", + "https://malwarebytes.app.box.com/s/gdu18hr17mwqszj3hjw5m3sw84k8hlph", + "https://rol.im/VindowsUnlocker.zip", + "https://twitter.com/JakubKroustek/status/800729944112427008", + "https://www.bleepingcomputer.com/news/security/vindowslocker-ransomware-mimics-tech-support-scam-not-the-other-way-around/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-61DcGSFljUk/WDM2UpFZ02I/AAAAAAAACMw/smvauQCvG3IPHOtEjPP4ocGKmBhVRBv-wCLcB/s1600/lock-note.png" + ], + "encryption": "AES", + "extensions": [ + ".vindows" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom amount is 349.99$ and the hacker seems to be from India. He disguises himself as Microsoft Support.", + "value": "VindowsLocker Ransomware", + "uuid": "b58e1265-2855-4c8a-ac34-bb1504086084" + }, + { + "meta": { + "refs": [ + "http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-RwJ6R-uvYg0/V-qfeRPz7GI/AAAAAAAABi8/7x4MxRP7Jp8edbTJqz4iuEye0q1u5k3pQCLcB/s1600/donald-trump-ransomware.jpg", + "https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/" + ], + "encryption": "AES", + "extensions": [ + ".ENCRYPTED" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Here is the original ransomware under this name: http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html", + "value": "Donald Trump 2 Ransomware", + "uuid": "96c10791-258f-4b2b-a2cc-b5abddbdb285" + }, + { + "meta": { + "synonyms": [ + "Voldemort Ransomware" + ], + "refs": [ + "http://id-ransomware.blogspot.co.il/2016/09/nagini-voldemort-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-nagini-ransomware-sics-voldemort-on-your-files/" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-qJHhbtoL1Y4/V-lOClxieEI/AAAAAAAABis/IbnVAY8hnmEfU8_iU1CgQ3FWeX4YZOkBACLcB/s1600/Nagini.jpg" + ], + "encryption": "RSA", + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Looks for C:\\Temp\\voldemort.horcrux", + "value": "Nagini Ransomware", + "uuid": "46a35af7-9d05-4de4-a955-41ccf3d3b83b" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/shelllocker-ransomware.html", + "https://twitter.com/JakubKroustek/status/799388289337671680" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-0N1ZUh4WcxQ/WDCfENY1eyI/AAAAAAAACKE/_RVIxRCwedMrD0Tj9o6-ew8u3pL0Y5w8QCLcB/s1600/lock-note2.jpg" + ], + "encryption": "AES", + "extensions": [ + ".l0cked", + ".L0cker" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "ShellLocker Ransomware", + "uuid": "a8ea7a67-c019-4c6c-8061-8614c47f153e" + }, + { + "meta": { + "synonyms": [ + "ChipLocker Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html", + "http://malware-traffic-analysis.net/2016/11/17/index.html", + "https://www.bleepingcomputer.com/news/security/rig-e-exploit-kit-now-distributing-new-chip-ransomware/" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-OvB9TMJoimE/WC9QXRPFNwI/AAAAAAAACJU/iYcCC9tKvGIu4jH2bd6xLvmO7KMVVCLdgCLcB/s1600/note_2.PNG", + "CHIP_FILES.txt" + ], + "encryption": "AES + RSA-512", + "extensions": [ + ".CHIP", + ".DALE" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Chip Ransomware", + "uuid": "7487fd37-d4ba-4c85-b6f8-8d4d7d5b74d7" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html", + "https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/" + ], + "ransomnotes": [ + "README.txt", + "README.jpg", + "Info.hta" + ], + "encryption": "AES + RSA-512", + "extensions": [ + ".dharma", + ".wallet", + ".zzzzz" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant", + "value": "Dharma Ransomware", + "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/angela-merkel-ransomware.html", + "https://twitter.com/malwrhunterteam/status/798268218364358656" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-QaJ-Z27tL7s/WDCvwYY2UVI/AAAAAAAACKg/swpf1eKf1Y8oYIK5U8gbfi1H9AQ3Q3r8QCLcB/s1600/angela-merkel.jpg" + ], + "encryption": "AES", + "extensions": [ + ".angelamerkel" + ], + "date": "November 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Angela Merkel Ransomware", + "uuid": "a9bb4ae1-b4da-49bb-aeeb-3596cb883860" + }, + { + "meta": { + "synonyms": [ + "YafunnLocker" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html", + "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/", + "https://twitter.com/malwareforme/status/798258032115322880" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-skwh_-RY50s/WDK2XLhtt3I/AAAAAAAACL0/CaZ0A_fl2Zk-YZYU9g4QCQZkODpicbXpQCLcB/s1600/note_2.PNG", + "https://4.bp.blogspot.com/-tCYSY5fpE5Q/WDLLZssImkI/AAAAAAAACMg/7TmWPW3k4jQuGIYZN_dCxcSGcY_c4po9wCLcB/s1600/note3_2.PNG", + "%AppData%\\@WARNING_FILES_ARE_ENCRYPTED.[victim_id].txt." + ], + "encryption": "AES-256 + RSA-2048", + "extensions": [ + "._luck" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "CryptoLuck Ransomware", + "uuid": "615b682d-4746-464d-8091-8869d0e6ea2c" + }, + { + "meta": { + "synonyms": [ + "Nemesis", + "X3M" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/crypton-ransomware.html", + "https://decrypter.emsisoft.com/crypton", + "https://www.bleepingcomputer.com/news/security/crypton-ransomware-is-here-and-its-not-so-bad-/", + "https://twitter.com/JakubKroustek/status/829353444632825856" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-2fAMkigwn4E/WCs1vKiB9UI/AAAAAAAACIs/_kgk8U9wfisV0MTYInIbArwL8zgLyBDIgCLcB/s1600/note-eng.png" + ], + "encryption": "AES-256 + RSA + SHA-256", + "extensions": [ + "_crypt", + ".id-_locked", + ".id-_locked_by_krec", + ".id-_locked_by_perfect", + ".id-_x3m", + ".id-_r9oj", + ".id-_garryweber@protonmail.ch", + ".id-_steaveiwalker@india.com_", + ".id-_julia.crown@india.com_", + ".id-_tom.cruz@india.com_", + ".id-_CarlosBoltehero@india.com_", + ".id-_maria.lopez1@india.com_" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Crypton Ransomware", + "uuid": "117693d2-1551-486e-93e5-981945eecabd" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/karma-ransomware.html", + "https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomware-being-distributed-via-pay-per-install-network/", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-18th-2016-crysis-cryptoluck-chip-and-more/" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/ransomware/k/karma-ransomware/ransom-note.png", + "# DECRYPT MY FILES #.html", + "# DECRYPT MY FILES #.txt" + ], + "encryption": "AES", + "extensions": [ + ".karma" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. pretends to be a Windows optimization program called Windows-TuneUp", + "value": "Karma Ransomware", + "uuid": "51596eaa-6df7-4aa3-8df4-cec3aeffb1b5" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/wickedlocker-ht-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-CTLT300bjNk/WCg9mrJArSI/AAAAAAAACGk/weWSqTMVS9AXdxJh_SA06SOH4kh2VGW1gCLcB/s1600/note_2.PNG.png" + ], + "encryption": "AES", + "extensions": [ + ".locked" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "WickedLocker HT Ransomware", + "uuid": "878c06be-95d7-4a0d-9dba-178ffc1d3e5e" + }, + { + "meta": { + "synonyms": [ + "PClock SuppTeam Ransomware", + "WinPlock", + "CryptoLocker clone" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/", + "https://id-ransomware.blogspot.co.il/2016/11/suppteam-ransomware-sysras.html", + "http://researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/", + "https://decrypter.emsisoft.com/" + ], + "ransomnotes": [ + "Your files are locked !.txt", + "Your files are locked !!.txt", + "Your files are locked !!!.txt", + "Your files are locked !!!!.txt", + "%AppData%\\WinCL\\winclwp.jpg" + ], + "encryption": "AES or XOR", + "extensions": [ + ".locked" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoLocker Copycat", + "value": "PClock3 Ransomware", + "uuid": "6c38f175-b32a-40ef-8cad-33c2c8840d51" + }, + { + "meta": { + "synonyms": [ + "Kolobocheg Ransomware" + ], + "refs": [ + "https://www.ransomware.wiki/tag/kolobo/", + "https://id-ransomware.blogspot.co.il/2016/11/kolobo-ransomware.html", + "https://forum.drweb.com/index.php?showtopic=315142" + ], + "ransomnotes": [ + "https://www.ransomware.wiki/tag/kolobo/" + ], + "encryption": "XOR and RSA", + "extensions": [ + ".kolobocheg@aol.com_" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Kolobo Ransomware", + "uuid": "f32f0bec-961b-4c01-9cc1-9cf409efd598" + }, + { + "meta": { + "synonyms": [ + "Paysafecard Generator 2016" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/paysafegen-german-ransomware.html", + "https://twitter.com/JakubKroustek/status/796083768155078656" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-r2kaNLjBcEk/WCNCqrpHPZI/AAAAAAAACEE/eFSWuu4mUZoDV5AnduGR4KxHlFM--uIzACLcB/s1600/lock-screen.png" + ], + "encryption": "AES-256", + "extensions": [ + ".cry_" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect German speaking users, since the note is written in German. Mostly affects users in German speaking countries. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "PaySafeGen (German) Ransomware", + "uuid": "379d5258-6f11-4c41-a685-c2ff555c0cb9" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/telecrypt-ransomware.html", + "http://www.securityweek.com/telecrypt-ransomwares-encryption-cracked", + "https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-UFksnOoE4Ss/WCRUNbQuqyI/AAAAAAAACFI/Gs3Gkby335UmiddlYWJDkw8O-BBLt-BlQCLcB/s1600/telegram_rans.gif" + ], + "encryption": "AES", + "extensions": [ + ".Xcri" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware\u2019s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills. Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.", + "value": "Telecrypt Ransomware", + "uuid": "2f362760-925b-4948-aae5-dd0d2fc21002" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/cerbertear-ransomware.html", + "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/", + "https://twitter.com/struppigel/status/795630452128227333" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-ftA6aPEXwPM/WCDY3IiSq6I/AAAAAAAACCU/lnH25navXDkNccw5eQL9fkztRAeIqDYdQCLcB/s1600/note111.png" + ], + "encryption": "AES", + "extensions": [ + ".cerber" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "CerberTear Ransomware", + "uuid": "28808e63-e71f-4aaa-b203-9310745f87b6" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/fucksociety-ransomware.html" + ], + "encryption": "RSA-4096", + "extensions": [ + ".dll" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Hidden Tear >> APT Ransomware + HYPERLINK \"https://id-ransomware.blogspot.ru/2016/05/remindme-ransomware-2.html\" \t \"_blank\" RemindMe > FuckSociety", + "value": "FuckSociety Ransomware", + "uuid": "81c476c3-3190-440d-be4a-ea875e9415aa" + }, + { + "meta": { + "synonyms": [ + "Serpent Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/paydos-ransomware-serpent.html", + "https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/", + "https://www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers" + ], + "ransomnotes": [ + "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].html", + "HOW_TO_DECRYPT_YOUR_FILES_[random_3_chars].txt" + ], + "encryption": "AES-256", + "extensions": [ + ".dng", + ".serpent" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Batch file; Passcode: AES1014DW256 or RSA1014DJW2048", + "value": "PayDOS Ransomware", + "uuid": "4818a48a-dfc2-4f35-a76d-e4fb462d6c94" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/zscreenlocker-ransomware.html", + "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/", + "https://twitter.com/struppigel/status/794077145349967872" + ], + "encryption": "AES", + "extensions": [ + ".dng" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "zScreenLocker Ransomware", + "uuid": "47834caa-2226-4a3a-a228-210a64c281b9" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/gremit-ransomware.html", + "https://twitter.com/struppigel/status/794444032286060544", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/11-4-16/CwZubUHW8AAE4qi[1].jpg" + ], + "encryption": "AES", + "extensions": [ + ".rnsmwr" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Gremit Ransomware", + "uuid": "47512afc-ecf2-4766-8487-8f3bc8dddbf3" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/hollycrypt-ransomware.html" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-PdtXGwSTn24/WBxIoomzF4I/AAAAAAAAB-U/lxTwKWc7T9MJhUtcRMh1mn9m_Ftjox9XwCLcB/s1600/note_2.PNG" + ], + "encryption": "AES", + "extensions": [ + ".hollycrypt" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Hollycrypt Ransomware", + "uuid": "b77298c1-3f84-4ffb-a81b-36eab5c10881" + }, + { + "meta": { + "synonyms": [ + "BTC Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/btclocker-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/--7M0dtKhOio/WBxJx1PflYI/AAAAAAAAB-g/DSdMjLDLnVwwaMBW4H_98SzSJupLYm9WgCLcB/s1600/note_2.PNG" + ], + "encryption": "AES", + "extensions": [ + ".BTC" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "BTCLocker Ransomware", + "uuid": "3f461284-85a1-441c-b07d-8b547be43ca2" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/kangaroo-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-1jyI1HoqJag/WBzj9SLvipI/AAAAAAAAB_U/_sp8TglWEPQphG8neqrztfUUIjcBbVhDwCLcB/s1600/kangaroo-lock_2.png", + "filename.Instructions_Data_Recovery.txt" + ], + "encryption": "AES", + "extensions": [ + ".crypted_file" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. From the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda", + "value": "Kangaroo Ransomware", + "uuid": "5ab1449f-7e7d-47e7-924a-8662bc2df805" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/dummyencrypter-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-2rS0Yq27wp0/WBtKfupZ2sI/AAAAAAAAB8I/0MR-9Xx0n-0zV_NBSScDCiYTp1KH-edtACLcB/s1600/Lockscreen_2.png" + ], + "encryption": "AES-256", + "extensions": [ + ".dCrypt" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "DummyEncrypter Ransomware", + "uuid": "6bf055c6-acb2-4459-92b0-70d61616ab62" + }, + { + "meta": { + "synonyms": [ + "SFX Monster Ransomware" + ], + "refs": [ + "http://virusinfo.info/showthread.php?t=201710", + "https://id-ransomware.blogspot.co.il/2016/11/encryptss77-ransomware.html" + ], + "ransomnotes": [ + "YOUR FILES ARE ENCRYPTED THAT THEIR DECRYPT SEND EMAIL US AT encryptss77@gmail.com IN MESSAGE INDICATE IP ADDRESS OF COMPUTER WHERE YOU SAW THIS MESSAGE YOU CAN FIND IT ON 2IP.RU WE WILL REPLY TO YOU WITHIN 24 HOURS" + ], + "encryption": "AES-256", + "extensions": [ + ".dCrypt" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Encryptss77 Ransomware", + "uuid": "317cab8a-31a1-4a82-876a-94edc7afffba" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/winrarer-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-zb0TP0wza7I/WBpShN0tCMI/AAAAAAAAB64/oTkSFwKFVx8hY1rEs5FQU6F7oaBW-LqHwCLcB/s1600/note_2.png" + ], + "encryption": "AES-256", + "extensions": [ + ".ace" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "WinRarer Ransomware", + "uuid": "7ee22340-ed89-4e22-b085-257bde4c0fc5" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/russian-globe-ransomware.html" + ], + "ransomnotes": [ + "YOUR FILES HAVE BEEN ENCRYPTED! Your personal ID ***** Your file have been encrypted with a powerful strain of a virus called ransomware. Your files are encrypted using the same methods banks and the military use. There is currently no possible way to decrypt files with the private key. Lucky for you, we can help. We are willing to sell you a decryptor UNIQUELY made for your computer (meaning someone else's decryptor will not work for you). Once you pay a small fee, we will instantly send you the software/info necessary to decrypt all your files, quickly and easily." + ], + "encryption": "AES-256", + "extensions": [ + ".blackblock" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Russian Globe Ransomware", + "uuid": "30771cde-2543-4c13-b722-ff940f235b0f" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/11/zerocrypt-ransomware.html" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-0AGEY4vAlA0/WBi_oChzFNI/AAAAAAAAB4w/8PrPRfFU30YFWCwHzqnsx4bYISVNFyesQCLcB/s1600/note.PNG" + ], + "encryption": "AES-256", + "extensions": [ + ".zn2016" + ], + "date": "November 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "ZeroCrypt Ransomware", + "uuid": "e999ca18-61cb-4419-a2fa-ab8af6ebe8dc" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/rotorcrypt-ransomware.html" + ], + "ransomnotes": [ + "Good day Your files were encrypted/locked As evidence can decrypt file 1 to 3 1-30MB The price of the transcripts of all the files on the server: 7 Bitcoin Recommend to solve the problem quickly and not to delay Also give advice on how to protect Your server against threats from the network (Files sql mdf backup decryption strictly after payment)!" + ], + "encryption": "RSA", + "extensions": [ + ".c400", + ".c300" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "RotorCrypt(RotoCrypt, Tar) Ransomware", + "uuid": "63991ed9-98dc-4f24-a0a6-ff58e489c263" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/ishtar-ransomware.html" + ], + "ransomnotes": [ + "FOR FILE DISCRIPTION, PLEASE CONTACT YOU@edtonmail@protonmail.com Or BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/ BASIC TECHNICAL DETAILS: > Standard encryption order: AES 256 + RSA 2048. > A unique AES key is created for each file. > Decryption is impossible without the ISHTAR.DATA file (see% APPDATA% directory). ----- TO DECRYPT YOUR FILES PLEASE WRITE TO youneedmail@protonmail.com OR TO BM-NBYR3ctSgr67iciT43rRNmHdHPAYBBK7 USING BITMESSAGE DESKTOP OR https://bitmsg.me/ BASIC TECHNICAL DETAILS: > Standart encryption routine: AES 256 + RSA 2048. > Every AES key is unique per file. > Decryption is impossible without ISHTAR.DATA file (see% APPDATA% path)." + ], + "encryption": "AES-256 + RSA-2048", + "extensions": [ + "ISHTAR-. (prefix)" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.", + "value": "Ishtar Ransomware", + "uuid": "30cad868-b2f1-4551-8f76-d17695c67d52" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html", + "https://twitter.com/struppigel/status/791943837874651136" + ], + "ransomnotes": [ + "IMPORTANT!!!! All of your computer files have been encrypted. DO NOT CHANGE ANY FILES! We can restore all the files. How to restore files: - \n1) Follow this link: - http://goo.gl/forms/VftoBRppkJ \n2) Fill out the form above. \n3) For 24 hours on your email + mobile SMS will come instructions for solving the problem. Thank you! DarkWing020", + "https://3.bp.blogspot.com/-gqEyoqXbZnE/WBXoF5bPZZI/AAAAAAAAB2U/YGpgIdjXyQQeDnwc9PlJs37YWtWTnH_wgCLcB/s1600/note.jpg", + "CreatesReadThisFileImportant.txt" + ], + "extensions": [ + ".hcked" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "MasterBuster Ransomware", + "uuid": "07f859cd-9c36-4dae-a6fc-fa4e4aa36176" + }, + { + "meta": { + "synonyms": [ + "Jack.Pot Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/jackpot-ransomware.html", + "https://twitter.com/struppigel/status/791639214152617985", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-oaElZvUqbfo/WBUOGdD8unI/AAAAAAAAB1w/Ya1_qq0gfa09AhRddUITQNRxKloXgD_BwCLcB/s1600/wallp.jpg" + ], + "extensions": [ + ".coin" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "JackPot Ransomware", + "uuid": "04f1772a-053e-4f6e-a9af-3f83ab312633" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/onyx-ransomware.html", + "https://twitter.com/struppigel/status/791557636164558848", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/" + ], + "ransomnotes": [ + "All your files are encrypted, but do not worry, they have not been removed. (for now) You have 24 hours to pay $100. Money move to the specified Bitcoin -account. Otherwise, all files will be destroyed. Do not turn off the computer and/or do not attempt to disable me. When disobedience will be deleted 100 files.", + "https://1.bp.blogspot.com/-cukkC4KAhZE/WBY1jJbcQoI/AAAAAAAAB3I/p8p-iNQRnQwnP6c6H77h_SHMQNAlkJ1CgCLcB/s1600/onyx.jpg" + ], + "extensions": [ + ".Encryption:" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Georgian ransomware", + "value": "ONYX Ransomeware", + "uuid": "927a4150-9380-4310-9f68-cb06d8debcf2" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/ifn643-ransomware.html", + "https://twitter.com/struppigel/status/791576159960072192", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-JuBZKpEHV0Q/WBYNHFlW7pI/AAAAAAAAB20/z0DPYA_8l6U8tB6pbgo8ZwyIJRcrIVy2ACLcB/s1600/Note1.JPG" + ], + "encryption": "AES", + "extensions": [ + ".inf643" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "IFN643 Ransomware", + "uuid": "ddeab8b3-5df2-414e-9c6b-06b309e1fcf4" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/alcatraz-locker-ransomware.html", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/", + "https://twitter.com/PolarToffee/status/792796055020642304" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-b0-Uvnz703Q/WBcMGkZqtwI/AAAAAAAAB3Y/a6clIjdp_tI2T-OE_ykyjvB2qNY3gqWdQCLcB/s1600/Screenshot_1.jpg", + "https://2.bp.blogspot.com/-y5a6QnjAiv0/WBcMKV0zDDI/AAAAAAAAB3c/ytOQHJgmy30H_jEWPcfht7RRsh4NhcrvACLcB/s1600/Screenshot_2.jpg", + "ransomed.hTmL" + ], + "encryption": "AES", + "extensions": [ + ".Alcatraz" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Alcatraz Locker Ransomware", + "uuid": "2ad63264-8f52-4ab4-ad26-ca8c3bcc066e" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/esmeralda-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/630835/esmeralda-ransomware/" + ], + "ransomnotes": [ + "Windows has encountered a critical problem and needs your immediate action to recover your data. The system access is locked and all the data have been encrypted to avoid the information be published or misused. You will not be able to access to your files and ignoring this message may cause the total loss of the data. We are sorry for the inconvenience. You need to contact the email below to restore the data of your system. Email: esmeraldaencryption@mail.ru You will have to order the Unlock-Password and the Esmeralda Decryption Software. All the instructions will be sent to you by email.", + "https://2.bp.blogspot.com/-vaWu8OjSiXE/WBzkLBdB8DI/AAAAAAAAB_Y/k8vvtYEIdTkFJhruRJ6qDNAujAn4Ph-xACLcB/s1600/esmeralda-lock_2.png" + ], + "encryption": "AES", + "extensions": [ + ".encrypted" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Esmeralda Ransomware", + "uuid": "ff5a04bb-d412-4cb3-9780-8d3488b7c268" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/encryptile-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-_jxt6kCRnwM/WBNf7mi92nI/AAAAAAAAB0g/homx8Ly379oUKAOIhZU6MxCiWX1gA_TkACLcB/s1600/wallp.jpg" + ], + "encryption": "AES", + "extensions": [ + ".encrypted" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "EncrypTile Ransomware", + "uuid": "56e49b84-a250-4aaf-9f65-412616709652" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/fileice-ransomware-survey.html", + "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-GAPCc3ITdQY/WBMTmJ4NaRI/AAAAAAAABzM/XPbPZvZ8vbUrOWxtwPmfHFJiNT_2gfaOgCLcB/s1600/fileice-source.png" + ], + "encryption": "AES", + "extensions": [ + ".encrypted" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of how the hacker tricks the user using the survey method. https://1.bp.blogspot.com/-72ECd1vsUdE/WBMSzPQEgzI/AAAAAAAABzA/i8V-Kg8Gstcn_7-YZK__PDC2VgafWcfDgCLcB/s1600/survey-screen.png The hacker definatly has a sense of humor: https://1.bp.blogspot.com/-2AlvtcvdyUY/WBMVptG_V5I/AAAAAAAABzc/1KvAMeDmY2w9BN9vkqZO8LWkBu7T9mvDACLcB/s1600/ThxForYurTyme.JPG", + "value": "Fileice Ransomware Survey Ransomware", + "uuid": "ca5d0e52-d0e4-4aa9-872a-0669433c0dcc" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/cryptowire-ransomware.html", + "https://twitter.com/struppigel/status/791554654664552448", + "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-vIMgkn8WVJM/WBJAxkbya7I/AAAAAAAABys/tCpaTOxfGDw8A611gudDh46mhZT70dURwCLcB/s1600/lock-screen.jpg", + "https://1.bp.blogspot.com/-b0QiEQec0Pg/WBMf2HG6hjI/AAAAAAAABz8/BtN2-INZ2KQ4W2_iPqvDZTtlA0Aq_4gVACLcB/s1600/Screenshot_2.jpg" + ], + "encryption": "AES-256", + "extensions": [ + ".encrypted" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "CryptoWire Ransomeware", + "uuid": "4e6e45c2-8e13-49ad-8b27-e5aeb767294a" + }, + { + "meta": { + "synonyms": [ + "Hungarian Locky Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html", + "https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe", + "https://twitter.com/struppigel/status/846241982347427840" + ], + "ransomnotes": [ + "https://1.bp.blogspot.com/-lLZZBScC27U/WBmkDQzl9FI/AAAAAAAAB5Y/gozOy17Yv0EWNCQVSOXn-PkTccYZuMmPQCLcB/s1600/note-bmp_2.png", + "!!! IMPORTANT INFORMATION !!!! All files are encrypted using RSA-3072 and AES128 encryption. You can learn more about RSA and AES ciphers here: Https://hu.wikipedia.org/wiki/RSA-elj\u00e1r\u00e1s Https://hu.wikipedia.org/wiki/Advanced_Encryption_Standard To return files, you need to get a secret key and decryption program. To get the key, please follow these steps: \n1. Send an identification code to the email address locky@mail2tor.com! If you want, send a 1 MB file for decryption. In order to prove that we can recover data. (Please, email must contain only the identification code, as well as the attachment) \n3. Please note, check the mail, we will send you an email within 24 hours! You will receive a decrypted file and decryption program in the attachment. Follow the instructions in the email.!!! Your identification code !!!", + "_Adatok_visszaallitasahoz_utasitasok.txt", + "_locky_recover_instructions.txt" + ], + "encryption": "AES-128+RSA", + "extensions": [ + ".locky", + "[a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on Locky", + "value": "Hucky Ransomware", + "uuid": "74f91a93-4f1e-4603-a6f5-aaa40d2dd311" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/winnix-cryptor-ransomware.html", + "https://twitter.com/PolarToffee/status/811940037638111232" + ], + "ransomnotes": [ + "Your files are encrypted! Your files have been safely encrypted on this PC: photos, documents, databases, etc. Encryption was produced using a unique public key generated for this computer. To decrypt files you need to obtain the private key. The only way to get the private key is to pay 4 BTC. You saved it on qualified system administrator who could make your network safe and secure. In order to decrypt the files send your bitcoins to the following address: 13gYXFxpzm7hAd4esdnJGt9JvYqyD1Y6by After you complete your payment, send an email to 6214ssxpvo@sigaint.org with YOUR ID as subject (ID is in the end of the file) and you'll receive private key, needed software and step by step guide in 1 business day. Offer is valid for 5 business days (expiration date is in the end of the file). AFTER TIME IS UP, PRICE DOUBLES. No discounts, no other payment methods. How to buy bitcoins? \n1. Create a Bitcoin Wallet (we recommend Blockchain.info) \n2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (= 0.0005). Here are our recommendations: LocalBitcoins.com \u2013 the fastest and easiest way to buy and sell Bitcoins; CoinCafe.com \u2013 the simplest and fastest way to buy, sell and use Bitcoins; BTCDirect.eu \u2013 the best for Europe; CEX.IO \u2013 Visa / MasterCard; CoinMama.com \u2013 Visa / MasterCard; HowToBuyBitcoins.info \u2013 discover quickly how to buy and sell bitcoins in your local currency. More questions? Send an email to 6214ssxpvo@sigaint.org ID: *** EXP DATE: Sept. 12 2016 Winnix Cryptor Team", + "YOUR FILES ARE ENCRYPTED!.txt" + ], + "encryption": "AES", + "extensions": [ + ".wnx" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Winnix Cryptor Ransomware", + "uuid": "e30e663d-d8c8-44f2-8da7-03b1a9c52376" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html", + "https://twitter.com/demonslay335/status/790334746488365057" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-k3s85Fx9N_E/WBIfuUNTMmI/AAAAAAAAByM/rQ10tKuXTlEJfLTOoBwJPo7rhhaiK2OoQCLcB/s1600/screen-lock.jpg", + "ANGRY DUCK! All your important files have been encrypted using very string cryptography (AES-512 With RSA-64 FIPS grade encryption). To recover your files, send 10 BTC to my private wallet DON'T MESS WITH THE DUCKS!!!" + ], + "encryption": "AES-512", + "extensions": [ + ".adk" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Demands 10 BTC", + "value": "AngryDuck Ransomware", + "uuid": "2813a5c7-530b-492f-8d77-fe7b1ed96a65" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/lock93-ransomware.html", + "https://twitter.com/malwrhunterteam/status/789882488365678592" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-WuD2qaaNIb0/WA4_g_FnIfI/AAAAAAAABx4/pn6VNqMXMzI_ryvKUruY3ctYtzomT1I4gCLcB/s1600/note3.jpg", + "https://1.bp.blogspot.com/-S6M83oFxSdM/WA4_ak9WATI/AAAAAAAABx0/3FL3q21FdxMQvAgrr2FORQIaNtq2-P2jACLcB/s1600/note2.jpg" + ], + "encryption": "AES-512", + "extensions": [ + ".lock93" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Lock93 Ransomware", + "uuid": "2912426d-2a26-4091-a87f-032a6d3d28c1" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html", + "https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-5gZpxeEWqZg/WBeNnEP9GzI/AAAAAAAAB4g/ELCCp88whLMI6CzpGTjlxbmXBMFIKhwtwCLcB/s1600/onion-site.JPG", + "!!!!!readme!!!!!.htm" + ], + "encryption": "AES-512", + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "ASN1 Encoder Ransomware", + "uuid": "dd99cc50-91f7-4375-906a-7d09c76ee9f7" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/click-me-ransomware.html", + "https://www.youtube.com/watch?v=Xe30kV4ip8w" + ], + "ransomnotes": [ + "All right my dear brother!!! Enough free playing. Your files have been encrypted. Pay so much this much money so I can send you the password for your files. I can be paid this much too cause I am very kind. So move on I didn't raise the price." + ], + "encryption": "AES", + "extensions": [ + ".hacked" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker tries to get the user to play a game and when the user clicks the button, there is no game, just 20 pictures in a .gif below: https://3.bp.blogspot.com/-1zgO3-bBazs/WAkPYqXuayI/AAAAAAAABxI/DO3vycRW-TozneSfRTdeKyXGNEtJSMehgCLcB/s1600/all-images.gif", + "value": "Click Me Ransomware", + "uuid": "97bdadda-e874-46e6-8672-11dbfe3958c4" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-4HNc9S8SY4I/WBMkpdKyDsI/AAAAAAAAB0I/udESgro7YB4pF98Dv2KrrecyymFGsvV2QCLcB/s1600/note.JPG" + ], + "encryption": "AES-256 + RSA-2048", + "extensions": [ + ".hacked" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "AiraCrop Ransomware", + "uuid": "e7a5c384-a93c-4ed4-8411-ca1e52396256" + }, + { + "meta": { + "synonyms": [ + "SHC Ransomware", + "SHCLocker", + "SyNcryption" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/japanlocker-ransomware.html", + "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/japanlocker", + "https://github.com/fortiguard-lion/schRansomwareDecryptor/blob/master/schRansomwarev1_decryptor.php", + "https://blog.fortinet.com/2016/10/19/japanlocker-an-excavation-to-its-indonesian-roots" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-sdlDK4OIuPA/WAehWZYHaMI/AAAAAAAABvc/TcAcLG2lw10aOFY3FbP1A5EuLjL6LR62ACLcB/s1600/note.jpg" + ], + "encryption": "AES-256 + RSA-2048", + "extensions": [ + "#LOCK#" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Base64 encoding, ROT13, and top-bottom swapping", + "value": "JapanLocker Ransomware", + "uuid": "d579e5b6-c6fd-43d9-9213-7591cd324f94" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html", + "http://nyxbone.com/malware/Anubis.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-0YMsPH5WuTk/WAepI4BnqZI/AAAAAAAABv0/yXt4tdrmmAIf-N9KUmehY6mK1kTV-eFFQCLcB/s1600/note-wal2.jpg", + "Decryption Instructions.txt" + ], + "encryption": "AES(256)", + "extensions": [ + ".coded" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. EDA2", + "value": "Anubis Ransomware", + "uuid": "a6215279-37d8-47f7-9b1b-efae4178c738" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/xtplocker-ransomware.html" + ], + "ransomnotes": [ + "Attention! ! ! All of your copies of your system have been permanently deleted and the data on all partitions and workstations have been encrypted! Stay calm. You can recover all your data by making a payment of 2 BTC (1200 USD) in Bitcoin currency to receive a decryption key. To purchase Bitcions you can use www.coinbase.com After buying BTC send the equivalent of 2 BTC (1200 USD) to our BTC adress : 16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB After payment contact us to receive your decryption key. In mail title write your unique ID: {custom id visually resembling a MAC address} Our e-mail: crypt302@gmx.com" + ], + "encryption": "AES-256", + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "XTPLocker 5.0 Ransomware", + "uuid": "eef4bf49-5b1d-463a-aef9-538c5dc2f71f" + }, + { + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/eviltwins-exotic-ransomware-targets-executable-files/", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/", + "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/exotic-ransomware", + "https://id-ransomware.blogspot.co.il/2016/10/exotic-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-WJYR7LkWHWY/WAaCYScljOI/AAAAAAAABuo/j18AGhzv7WUPb2r4HWkYm4TPgYw9S5PUwCLcB/s1600/note1-1.jpg", + "https://4.bp.blogspot.com/-2QxJ3KCRimI/WAaCcWcE2uI/AAAAAAAABus/9SGRY5iQT-ITfG_JrY7mn6-PUpQrSKg7gCLcB/s1600/note1-2.jpg", + "https://3.bp.blogspot.com/-SMXOoWiGkxw/WAaGOMdecrI/AAAAAAAABu8/S-YjlWlPKbItSN_fe8030tMDHWzouHsIgCLcB/s1600/note2.jpg" + ], + "encryption": "AES-128", + "extensions": [ + ".exotic", + "random.exotic" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Also encrypts executables", + "value": "Exotic Ransomware", + "uuid": "eb22cb8d-763d-4cac-af35-46dc4f85317b" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/apt-ransomware-2.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-VTUhk_Py2FA/WAVCO1Yn69I/AAAAAAAABuI/N71wo2ViOE0UjrIdbeulBRTJukHtA2TdACLcB/s1600/ransom-note.jpg" + ], + "encryption": "AES-128", + "extensions": [ + ".dll" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. NO POINT TO PAY THE RANSOM, THE FILES ARE COMPLETELY DESTROYED", + "value": "APT Ransomware v.2", + "uuid": "6ec0f43c-6b73-4f5e-bee7-a231572eb994" + }, + { + "meta": { + "synonyms": [ + "WS Go Ransonware", + "Trojan.Encoder.6491" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/ws-go-ransonware.html", + "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/apt-ransomware-v2" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-NfRePJbfjbY/WAe5LHFsWaI/AAAAAAAABwE/1Pk116TDqAYEDYvnu2vzim1l-H5seW9mQCLcB/s1600/note.png" + ], + "encryption": "AES-256", + "extensions": [ + ".enc" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Windows_Security Ransonware", + "uuid": "a57a8bc3-8c33-43e8-b237-25edcd5f532a" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/ncrypt-ransomware.html" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-k7T79DnBk8w/WBc67QXyjWI/AAAAAAAAB3w/QbA-E9lYdSMOg3PcG9Vz8fTc_OhmACObACLcB/s1600/note-html.jpg" + ], + "encryption": "AES", + "extensions": [ + ".NCRYPT", + ".ncrypt" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "NCrypt Ransomware", + "uuid": "d590865e-f3ae-4381-9d82-3f540f9818cb" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/venis-ransomware.html", + "https://twitter.com/Antelox/status/785849412635521024", + "http://pastebin.com/HuK99Xmj" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-IFEOWjw-aaQ/WAXTu9oEN4I/AAAAAAAABuY/APqBiaHn3pAX8404Noyuj7tnFJDf2m_XACLcB/s1600/note1.jpg" + ], + "encryption": "AES-2048", + "extensions": [ + ".venis" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. In devVenisRansom@protonmail.com", + "value": "Venis Ransomware", + "uuid": "b9cfe6f3-5970-4283-baf4-252e0491b91c" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/enigma-2-ransomware.html" + ], + "ransomnotes": [ + "We encrypt important files on your computer: documents, databases, photos, videos and keys. Files encryption algorithm AES 128 (https://ru.wikipedia.org/wiki/Advanced_Encryption_Standard) with a private key that only we know. Encrypted files have .1txt extension. It decrypts files without the private key IMPOSSIBLE. \nIf you want to get the files back: \n1) Install the Tor Browser http://www.torproject.org/ \n2) Locate the desktop key to access E_N_I_G_M_A.RSA site (password is encrypted in the key of your files) \n3) Go to the website http://kf2uimw5omtgveu6.onion/ into a torus-browser and log in using E_N_I_G_M_A.RSA \n4) Follow the instructions on the website and download the decoder \nC:\\Documents and Settings\\\u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\\\u0420\u0430\u0431\u043e\u0447\u0438\u0439\u0441\u0442\u043e\u043b\\E_N_I_G_M_A.RSA - The path to the key file on the desktop C:\\DOCUME~1\\9335~1\\LOCALS~1\\Temp\\E_N_I_G_M_A.RSA - The path to the key file in TMP directory" + ], + "encryption": "AES-128", + "extensions": [ + ".1txt" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Enigma 2 Ransomware", + "uuid": "507506a3-3745-47fd-8d31-ef122317c0c2" + }, + { + "meta": { + "synonyms": [ + "Deadly for a Good Purpose Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/deadly-ransomware.html", + "https://twitter.com/malwrhunterteam/status/785533373007728640" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-XZiiaCYM9Bk/WAUsUkrCJEI/AAAAAAAABtk/z-sMHflz3Q8_aWc-K9PD0N5TGkSGwwQnACLcB/s1600/note-html.jpg" + ], + "encryption": "AES-256", + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. sample is set to encrypt only in 2017...", + "value": "Deadly Ransomware", + "uuid": "a25e39b0-b601-403c-bba8-2f595e221269" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/comrade-circle-ransomware.html" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-MmzOC__9qPA/V__t2kNX-SI/AAAAAAAABrc/t8ypPa1jCIUbPfvR7UGbdGzdvKrbAv_DgCLcB/s1600/wallpaper.jpg", + "https://4.bp.blogspot.com/-hRoC-UFr-7o/V__tAEFuZWI/AAAAAAAABrQ/xDawlulx8Bg4uEtX4bU2ezPMY-x6iFiuQCLcB/s1600/note-1ch.JPG", + "https://4.bp.blogspot.com/-PdYtm6sRHAI/WAEngHQBg_I/AAAAAAAABsA/nh8m7__b0wgviTEBahyNYK4HFhF1v7rOQCLcB/s1600/icon-stalin-2.jpg" + ], + "encryption": "AES-256", + "extensions": [ + ".comrade" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Comrade Circle Ransomware", + "uuid": "db23145a-e15b-4cf7-9d2c-ffa9928750d5" + }, + { + "meta": { + "synonyms": [ + "Purge Ransomware" + ], + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/globe2-ransomware.html", + "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221" + ], + "ransomnotes": [ + "https://3.bp.blogspot.com/-MYI30xhrcZU/V_qcDyASJsI/AAAAAAAABpU/Pej5jDk_baYBByLx1cXwFL8LBiT8Vj3xgCLcB/s1600/note22.jpg" + ], + "encryption": "AES-256 or Blowfish", + "extensions": [ + ".raid10", + ".[random].raid10", + ".blt", + ".globe", + ".[random].blt", + ".encrypted", + ".[random].globe", + ".[random].encrypted", + ".mia.kokers@aol.com", + ".[mia.kokers@aol.com]", + ".lovewindows", + ".openforyou@india.com", + ".." + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Globe2 Ransomware", + "uuid": "5541471c-8d15-4aec-9996-e24b59c3e3d6" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/kostya-ransomware.html", + "http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/" + ], + "ransomnotes": [ + "https://2.bp.blogspot.com/-E_MI2fT33J0/V_k_9Gjkj4I/AAAAAAAABpA/-30UT5HhPAAR9YtVkFwgrYqLIdWPprZ9gCLcB/s1600/lock-screen.jpg", + "https://2.bp.blogspot.com/-4YmIkWfYfRA/V_lAALhfSvI/AAAAAAAABpE/Dj35aroKXSwbLXrSPqGCzbvhsTNHdsbAgCLcB/s1600/kostya.jpg" + ], + "encryption": "AES-256", + "extensions": [ + ".k0stya" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Kostya Ransomware", + "uuid": "7d6f02d2-a626-40f6-81c3-14e3a9a2aea5" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/10/fs0ciety-locker-ransomware.htm" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-nskzYgbg7Ac/V_jpJ3GApqI/AAAAAAAABos/EbG_-BLDPqA9bRVOWdzHjPnDWFiHYlsJwCLcB/s1600/ransom-note.png" + ], + "encryption": "AES-256 CBC", + "extensions": [ + ".comrade" + ], + "date": "October 2016" + }, + "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", + "value": "Fs0ciety Locker Ransomware", + "uuid": "ed3a4f8a-49de-40c3-9acb-da1b78f89c4f" + }, + { + "meta": { + "refs": [ + "https://id-ransomware.blogspot.co.il/2016/09/erebus-ransomware.html" + ], + "ransomnotes": [ + "https://4.bp.blogspot.com/-E9WbSxLgaYs/WGn8gC6EfvI/AAAAAAAAC8A/bzd7uP9fcxU6Fyq1n6-9ZbUUGWlls9lrwCLcB/s1600/note-txt_2.png" + ], + "encryption": "AES", + "extensions": [ + ".ecrypt" + ], + "date": "September 2016" + }, + "description": "It\u2019s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. After the files are decrypted, the shadow files are deleted using the following command: vssadmin.exe Delete Shadows /All /Quiet", + "value": "Erebus Ransomware", + "uuid": "6a77c96b-1814-427f-83ca-fe7e0e40b1c0" + }, + { + "meta": { + "synonyms": [ + "WannaCrypt", + "WannaCry", + "WanaCrypt0r", + "WCrypt", + "WCRY" + ], + "refs": [ + "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168" + ], + "date": "May 2017" + }, + "description": "According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.", + "value": "WannaCry", + "uuid": "d62ab8d5-4ba1-4c45-8a63-13fdb099b33c" + }, + { + "value": ".CryptoHasYou.", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "encryption": "AES(256)", + "ransomnotes": [ + "YOUR_FILES_ARE_LOCKED.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/CryptoHasYou.html" + ] + }, + "uuid": "a0ce5d94-a22a-40db-a09f-a796d0bb4006" + }, + { + "value": "777", + "description": "Ransomware", + "meta": { + "synonyms": [ + "Sevleg" + ], + "extensions": [ + ".777", + "._[timestamp]_$[email]$.777", + "e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777" + ], + "encryption": "XOR", + "ransomnotes": [ + "read_this_file.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/777" + ] + }, + "uuid": "cd9e9eaa-0895-4d55-964a-b53eacdfd36a" + }, + { + "value": "7ev3n", + "description": "Ransomware", + "meta": { + "synonyms": [ + "7ev3n-HONE$T" + ], + "extensions": [ + ".R4A", + ".R5A" + ], + "ransomnotes": [ + "FILES_BACK.txt" + ], + "refs": [ + "https://github.com/hasherezade/malware_analysis/tree/master/7ev3n", + "https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be", + "http://www.nyxbone.com/malware/7ev3n-HONE$T.html" + ] + }, + "uuid": "664701d6-7948-4e80-a333-1d1938103ba1" + }, + { + "value": "8lock8", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".8lock8" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_IT.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/" + ] + }, + "uuid": "b70b6537-cf00-4bd1-a4e9-ae5ff2eb7504" + }, + { + "value": "AiraCrop", + "description": "Ransomware related to TeamXRat", + "meta": { + "extensions": [ + "._AiraCropEncrypted" + ], + "ransomnotes": [ + "How to decrypt your files.txt" + ], + "refs": [ + "https://twitter.com/PolarToffee/status/796079699478900736" + ] + }, + "uuid": "77919c1f-4ef8-41cd-a635-2d3118ade1f3" + }, + { + "value": "Al-Namrood", + "description": "Ransomware", + "meta": { + "extensions": [ + ".unavailable", + ".disappeared" + ], + "ransomnotes": [ + "Read_Me.Txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/al-namrood" + ] + }, + "uuid": "0040dca4-bf2e-43cb-89ae-ab1b50f1183d" + }, + { + "value": "ALFA Ransomware", + "description": "Ransomware Made by creators of Cerber", + "meta": { + "extensions": [ + ".bin" + ], + "ransomnotes": [ + "README HOW TO DECRYPT YOUR FILES.HTML" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/" + ] + }, + "uuid": "888abc95-9e01-4cbc-a6e5-058eb9314f51" + }, + { + "value": "Alma Ransomware", + "description": "Ransomware", + "meta": { + "extensions": [ + "random", + "random(x5)" + ], + "encryption": "AES-128", + "ransomnotes": [ + "Unlock_files_randomx5.html" + ], + "refs": [ + "https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&__hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&__hssc=61627571.1.1472593507113&__hsfp=1114323283", + "https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter", + "http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/" + ] + }, + "uuid": "76a08868-345f-4566-a403-5f5e575dfee5" + }, + { + "value": "Alpha Ransomware", + "description": "Ransomware", + "meta": { + "synonyms": [ + "AlphaLocker" + ], + "extensions": [ + ".encrypt" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Read Me (How Decrypt) !!!!.txt" + ], + "refs": [ + "http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip", + "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/", + "https://twitter.com/malwarebread/status/804714048499621888" + ] + }, + "uuid": "a27fff00-995a-4598-ba00-05921bf20e80" + }, + { + "value": "AMBA", + "description": "Ransomware Websites only amba@riseup.net", + "meta": { + "extensions": [ + ".amba" + ], + "ransomnotes": [ + "\u041f\u0420\u041e\u0427\u0422\u0418_\u041c\u0415\u041d\u042f.txt", + "READ_ME.txt" + ], + "refs": [ + "https://twitter.com/benkow_/status/747813034006020096" + ] + }, + "uuid": "8dd289d8-71bc-42b0-aafd-540dafa93343" + }, + { + "value": "AngleWare", + "description": "Ransomware", + "meta": { + "extensions": [ + ".AngleWare" + ], + "ransomnotes": [ + "READ_ME.txt" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/844531418474708993" + ] + }, + "uuid": "e06526ac-0083-44ab-8787-dd7278746bb6" + }, + { + "value": "Anony", + "description": "Ransomware Based on HiddenTear", + "meta": { + "synonyms": [ + "ngocanh" + ], + "refs": [ + "https://twitter.com/struppigel/status/842047409446387714" + ] + }, + "uuid": "5b94100d-83bb-4e30-be7a-6015c00356e0" + }, + { + "value": "Apocalypse", + "description": "Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru", + "meta": { + "synonyms": [ + "Fabiansomeware" + ], + "extensions": [ + ".encrypted", + ".SecureCrypted", + ".FuckYourData", + ".unavailable", + ".bleepYourFiles", + ".Where_my_files.txt", + "[filename].ID-*8characters+countrycode[cryptservice@inbox.ru].[random7characters]", + "*filename*.ID-[A-F0-9]{8}+countrycode[cryptcorp@inbox.ru].[a-z0-9]{13}" + ], + "ransomnotes": [ + "*.How_To_Decrypt.txt", + "*.Contact_Here_To_Recover_Your_Files.txt", + "*.Where_my_files.txt", + "*.Read_Me.Txt", + "*md5*.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/apocalypse", + "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" + ] + }, + "uuid": "e38b8876-5780-4574-9adf-304e9d659bdb" + }, + { + "value": "ApocalypseVM", + "description": "Ransomware Apocalypse ransomware version which uses VMprotect", + "meta": { + "extensions": [ + ".encrypted", + ".locked" + ], + "ransomnotes": [ + "*.How_To_Get_Back.txt" + ], + "refs": [ + "http://decrypter.emsisoft.com/download/apocalypsevm" + ] + }, + "uuid": "5bc9c3a5-a35f-43aa-a999-fc7cd0685994" + }, + { + "value": "AutoLocky", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locky" + ], + "ransomnotes": [ + "info.txt", + "info.html" + ], + "refs": [ + "https://decrypter.emsisoft.com/autolocky" + ] + }, + "uuid": "803fa9e2-8803-409a-b455-3a886c23fae4" + }, + { + "value": "Aw3s0m3Sc0t7", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "refs": [ + "https://twitter.com/struppigel/status/828902907668000770" + ] + }, + "uuid": "dced0fe8-224e-47ef-92ed-5ab6c0536daa" + }, + { + "value": "BadBlock", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Help Decrypt.html" + ], + "refs": [ + "https://decrypter.emsisoft.com/badblock", + "http://www.nyxbone.com/malware/BadBlock.html", + "http://www.nyxbone.com/images/articulos/malware/badblock/5.png" + ] + }, + "uuid": "f1a30552-21c1-46be-8b5f-64bd62b03d35" + }, + { + "value": "BaksoCrypt", + "description": "Ransomware Based on my-Little-Ransomware", + "meta": { + "extensions": [ + ".adr" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/760482299007922176", + "https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-ransomware/" + ] + }, + "uuid": "b21997a1-212f-4bbe-a6b7-3c703cbf113e" + }, + { + "value": "Bandarchor", + "description": "Ransomware Files might be partially encrypted", + "meta": { + "synonyms": [ + "Rakhni" + ], + "extensions": [ + ".id-1235240425_help@decryptservice.info", + ".id-[ID]_[EMAIL_ADDRESS]" + ], + "encryption": "AES-256", + "ransomnotes": [ + "HOW TO DECRYPT.txt" + ], + "refs": [ + "https://reaqta.com/2016/03/bandarchor-ransomware-still-active/", + "https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/" + ] + }, + "uuid": "af50d07e-3fc5-4014-9ac5-f5466cf042bc" + }, + { + "value": "Bart", + "description": "Ransomware Possible affiliations with RockLoader, Locky and Dridex", + "meta": { + "synonyms": [ + "BaCrypt" + ], + "extensions": [ + ".bart.zip", + ".bart", + ".perl" + ], + "ransomnotes": [ + "recover.txt", + "recover.bmp" + ], + "refs": [ + "http://now.avg.com/barts-shenanigans-are-no-match-for-avg/", + "http://phishme.com/rockloader-downloading-new-ransomware-bart/", + "https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky" + ] + }, + "uuid": "3cf2c880-e0b5-4311-9c4e-6293f2a566e7" + }, + { + "value": "BitCryptor", + "description": "Ransomware Has a GUI. CryptoGraphic Locker family. Newer CoinVault variant.", + "meta": { + "extensions": [ + ".clf" + ], + "refs": [ + "https://noransom.kaspersky.com/" + ] + }, + "uuid": "b5e9a802-cd17-4cd6-b83d-f36cce009808" + }, + { + "value": "BitStak", + "description": "Ransomware", + "meta": { + "extensions": [ + ".bitstak" + ], + "encryption": "Base64 + String Replacement", + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip" + ] + }, + "uuid": "33e398fa-2586-415e-9b18-6ea2ea36ff74" + }, + { + "value": "BlackShades Crypter", + "description": "Ransomware", + "meta": { + "synonyms": [ + "SilentShade" + ], + "extensions": [ + ".Silent" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Hacked_Read_me_to_decrypt_files.html", + "YourID.txt" + ], + "refs": [ + "http://nyxbone.com/malware/BlackShades.html" + ] + }, + "uuid": "bf065217-e13a-4f6d-a5b2-ba0750b5c312" + }, + { + "value": "Blocatto", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".blocatto" + ], + "encryption": "AES-256", + "refs": [ + "http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/" + ] + }, + "uuid": "a3e1cfec-aacd-4d84-aa7d-99ed6c17f26d" + }, + { + "value": "Booyah", + "description": "Ransomware EXE was replaced to neutralize threat", + "meta": { + "synonyms": [ + "Salami" + ] + }, + "uuid": "eee75995-321f-477f-8b57-eee4eedf4ba3" + }, + { + "value": "Brazilian", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".lock" + ], + "encryption": "AES-256", + "ransomnotes": [ + "MENSAGEM.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/brazilianRansom.html", + "http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png" + ] + }, + "uuid": "f9cf4f0d-3efc-4d6d-baf2-7dcb96db1279" + }, + { + "value": "Brazilian Globe", + "description": "Ransomware", + "meta": { + "extensions": [ + ".id-%ID%_garryweber@protonmail.ch" + ], + "ransomnotes": [ + "HOW_OPEN_FILES.html" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/821831437884211201" + ] + }, + "uuid": "d2bc5ec4-1dd1-408a-a6f6-621986657dff" + }, + { + "value": "BrLock", + "description": "Ransomware", + "meta": { + "encryption": "AES", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" + ] + }, + "uuid": "889d2296-40d2-49f6-be49-cbdfbcde2246" + }, + { + "value": "Browlock", + "description": "Ransomware no local encryption, browser only", + "uuid": "9769be50-8e0b-4f52-b7f6-98aeac0aaac4" + }, + { + "value": "BTCWare Related to / new version of CryptXXX", + "description": "Ransomware", + "meta": { + "extensions": [ + ".btcware" + ], + "ransomnotes": [ + "#_HOW_TO_FIX_!.hta" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/845199679340011520" + ] + }, + "uuid": "8d60dec9-d43f-4d52-904f-40fb67e57ef7" + }, + { + "value": "Bucbi", + "description": "Ransomware no file name change, no extension", + "meta": { + "encryption": "GOST", + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/" + ] + }, + "uuid": "3510ce65-80e6-4f80-8cde-bb5ad8a271c6" + }, + { + "value": "BuyUnlockCode", + "description": "Ransomware Does not delete Shadow Copies", + "meta": { + "extensions": [ + "(.*).encoded.([A-Z0-9]{9})" + ], + "ransomnotes": [ + "BUYUNLOCKCODE.txt" + ] + }, + "uuid": "289624c4-1d50-4178-9371-aebd95f423f9" + }, + { + "value": "Central Security Treatment Organization", + "description": "Ransomware", + "meta": { + "extensions": [ + ".cry" + ], + "ransomnotes": [ + "!Recovery_[random_chars].html", + "!Recovery_[random_chars].txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/" + ] + }, + "uuid": "8ff729d9-aee5-4b85-a59d-3f57e105be40" + }, + { + "value": "Cerber", + "description": "Ransomware", + "meta": { + "extensions": [ + ".cerber", + ".cerber2", + ".cerber3" + ], + "synonyms": [ + "CRBR ENCRYPTOR" + ], + "encryption": "AES", + "ransomnotes": [ + "# DECRYPT MY FILES #.html", + "# DECRYPT MY FILES #.txt", + "# DECRYPT MY FILES #.vbs", + "# README.hta", + "_{RAND}_README.jpg", + "_{RAND}_README.hta", + "_HELP_DECRYPT_[A-Z0-9]{4-8}_.jpg", + "_HELP_DECRYPT_[A-Z0-9]{4-8}_.hta", + "_HELP_HELP_HELP_%random%.jpg", + "_HELP_HELP_HELP_%random%.hta", + "_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.hta", + "_HOW_TO_DECRYPT_[A-Z0-9]{4-8}_.jpg" + ], + "refs": [ + "https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", + "https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410", + "https://www.bleepingcomputer.com/news/security/cerber-renames-itself-as-crbr-encryptor-to-be-a-pita/" + ] + }, + "uuid": "190edf95-9cd9-4e4a-a228-b716d52a751b" + }, + { + "value": "Chimera", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypt", + "4 random characters, e.g., .PzZs, .MKJL" + ], + "ransomnotes": [ + "YOUR_FILES_ARE_ENCRYPTED.HTML", + "YOUR_FILES_ARE_ENCRYPTED.TXT", + ".gif" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-petya-devs/", + "https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/" + ] + }, + "uuid": "27b036f0-afa3-4984-95b3-47fa344b1aa7" + }, + { + "value": "Clock", + "description": "Ransomware Does not encrypt anything", + "meta": { + "refs": [ + "https://twitter.com/JakubKroustek/status/794956809866018816" + ] + }, + "uuid": "af3b3bbb-b54d-49d0-8e58-e9c56762a96b" + }, + { + "value": "CoinVault", + "description": "Ransomware CryptoGraphic Locker family. Has a GUI. Do not confuse with CrypVault!", + "meta": { + "extensions": [ + ".clf" + ], + "ransomnotes": [ + "wallpaper.jpg" + ], + "refs": [ + "https://noransom.kaspersky.com/" + ] + }, + "uuid": "15941fb1-08f0-4276-a61f-e2a306d6c6b5" + }, + { + "value": "Coverton", + "description": "Ransomware", + "meta": { + "extensions": [ + ".coverton", + ".enigma", + ".czvxce" + ], + "encryption": "AES-256", + "ransomnotes": [ + "!!!-WARNING-!!!.html", + "!!!-WARNING-!!!.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/" + ] + }, + "uuid": "36450e8c-ff66-4ecf-9c0f-fbfb27a72d63" + }, + { + "value": "Cryaki", + "description": "Ransomware", + "meta": { + "extensions": [ + ".{CRYPTENDBLACKDC}" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547" + ] + }, + "uuid": "2c11d679-1fb1-4bd7-9516-9c6f402f3c25" + }, + { + "value": "Crybola", + "description": "Ransomware", + "meta": { + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547" + ] + }, + "uuid": "93dcd241-f2d6-40f3-aee3-351420046a77" + }, + { + "value": "CryFile", + "description": "Ransomware", + "meta": { + "extensions": [ + ".criptiko", + ".criptoko", + ".criptokod", + ".cripttt", + ".aga" + ], + "encryption": "Moves bytes", + "refs": [ + "SHTODELATVAM.txt", + "Instructionaga.txt" + ], + "ransomnotes": [ + "http://virusinfo.info/showthread.php?t=185396" + ] + }, + "uuid": "0d46e21d-8f1c-4355-8205-185fb7e041a7" + }, + { + "value": "CryLocker", + "description": "Ransomware Identifies victim locations w/Google Maps API", + "meta": { + "synonyms": [ + "Cry", + "CSTO", + "Central Security Treatment Organization" + ], + "extensions": [ + ".cry" + ], + "ransomnotes": [ + "!Recovery_[random_chars].html", + "!Recovery_[random_chars].txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/" + ] + }, + "uuid": "629f6986-2c1f-4d0a-b805-e4ef3e2ce634" + }, + { + "value": "CrypMIC", + "description": "Ransomware CryptXXX clone/spinoff", + "meta": { + "encryption": "AES-256", + "ransomnotes": [ + "README.TXT", + "README.HTML", + "README.BMP" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/" + ] + }, + "uuid": "82cb7a40-0a78-4414-9afd-028d6b3082ea" + }, + { + "value": "Crypren", + "description": "Ransomware", + "meta": { + "extensions": [ + ".ENCRYPTED" + ], + "ransomnotes": [ + "READ_THIS_TO_DECRYPT.html" + ], + "refs": [ + "https://github.com/pekeinfo/DecryptCrypren", + "http://www.nyxbone.com/malware/Crypren.html", + "http://www.nyxbone.com/images/articulos/malware/crypren/0.png" + ] + }, + "uuid": "a9f05b4e-6b03-4211-a2bd-6b4432eb3388" + }, + { + "value": "Crypt38", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypt38" + ], + "encryption": "AES", + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip", + "https://blog.fortinet.com/2016/06/17/buggy-russian-ransomware-inadvertently-allows-free-decryption" + ] + }, + "uuid": "12a96f43-8a8c-410e-aaa3-ba6735276555" + }, + { + "value": "Crypter", + "description": "Ransomware Does not actually encrypt the files, but simply renames them", + "meta": { + "refs": [ + "https://twitter.com/jiriatvirlab/status/802554159564062722" + ] + }, + "uuid": "37edc8d7-c939-4a33-9ed5-dafbbc1e5b1e" + }, + { + "value": "CryptFIle2", + "description": "Ransomware", + "meta": { + "extensions": [ + ".scl", + "id[_ID]email_xerx@usa.com.scl" + ], + "encryption": "RSA", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" + ] + }, + "uuid": "5b0dd136-6428-48c8-b2a6-8e926a82dfac" + }, + { + "value": "CryptInfinite", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crinf" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + }, + "uuid": "2b0d60c3-6560-49ac-baf0-5f642e8a77de" + }, + { + "value": "CryptoBit", + "description": "Ransomware sekretzbel0ngt0us.KEY - do not confuse with CryptorBit.", + "meta": { + "encryption": "AES + RSA", + "ransomnotes": [ + "OKSOWATHAPPENDTOYOURFILES.TXT" + ], + "refs": [ + "http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/", + "http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml" + ] + }, + "uuid": "1903ed75-05f7-4019-b0b7-7a8f23f22194" + }, + { + "value": "CryptoDefense", + "description": "Ransomware no extension change", + "meta": { + "ransomnotes": [ + "HOW_DECRYPT.TXT", + "HOW_DECRYPT.HTML", + "HOW_DECRYPT.URL" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + }, + "uuid": "ad9eeff2-91b4-440a-ae74-ab84d3e2075e" + }, + { + "value": "CryptoFinancial", + "description": "Ransomware", + "meta": { + "synonyms": [ + "Ranscam" + ], + "refs": [ + "http://blog.talosintel.com/2016/07/ranscam.html", + "https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/" + ] + }, + "uuid": "383d7ebb-9b08-4874-b5d7-dc02b499c38f" + }, + { + "value": "CryptoFortress", + "description": "Ransomware Mimics Torrentlocker. Encrypts only 50% of each file up to 5 MB", + "meta": { + "extensions": [ + ".frtrss" + ], + "encryption": "AES-256 + RSA-1024", + "ransomnotes": [ + "READ IF YOU WANT YOUR FILES BACK.html" + ] + }, + "uuid": "26c8b446-305c-4057-83bc-85b09630281e" + }, + { + "value": "CryptoGraphic Locker", + "description": "Ransomware Has a GUI. Subvariants: CoinVault BitCryptor", + "meta": { + "extensions": [ + ".clf" + ], + "ransomnotes": [ + "wallpaper.jpg" + ] + }, + "uuid": "58534bc4-eb96-44f4-bdad-2cc5cfea8c6f" + }, + { + "value": "CryptoHost", + "description": "Ransomware RAR's victim's files has a GUI", + "meta": { + "synonyms": [ + "Manamecrypt", + "Telograph", + "ROI Locker" + ], + "encryption": "AES-256 (RAR implementation)", + "refs": [ + "http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/" + ] + }, + "uuid": "dba2cf74-16a9-4ed8-8536-6542fda95999" + }, + { + "value": "CryptoJoker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crjoker" + ], + "encryption": "AES-256", + "ransomnotes": [ + "README!!!.txt", + "GetYouFiles.txt", + "crjoker.html" + ] + }, + "uuid": "2fb307a2-8752-4521-8973-75b68703030d" + }, + { + "value": "CryptoLocker", + "description": "Ransomware no longer relevant", + "meta": { + "extensions": [ + ".encrypted", + ".ENC" + ], + "refs": [ + "https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.html", + "https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/" + ] + }, + "uuid": "b35b1ca2-f99c-4495-97a5-b8f30225cb90" + }, + { + "value": "CryptoLocker 1.0.0", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/839747940122001408" + ] + }, + "uuid": "8d5e3b1f-e333-4eed-8dec-d74f19d6bcbb" + }, + { + "value": "CryptoLocker 5.1", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/782890104947867649" + ] + }, + "uuid": "e1412d2a-2a94-4c83-aed0-9e09523514a4" + }, + { + "value": "CryptoMix", + "description": "Ransomware", + "meta": { + "synonyms": [ + "Zeta" + ], + "extensions": [ + ".code", + ".scl", + ".rmd", + ".lesli", + ".rdmk", + ".CRYPTOSHIELD", + ".CRYPTOSHIEL", + ".id_(ID_MACHINE)_email_xoomx@dr.com_.code", + ".id_*_email_zeta@dr.com", + ".id_(ID_MACHINE)_email_anx@dr.com_.scl", + ".email[supl0@post.com]id[\\[[a-z0-9]{16}\\]].lesli", + "*filename*.email[*email*]_id[*id*].rdmk", + ".EMPTY", + ".0000", + ".XZZX", + ".TEST", + ".WORK", + ".SYSTEM" + ], + "ransomnotes": [ + "HELP_YOUR_FILES.html (CryptXXX)", + "HELP_YOUR_FILES.txt (CryptoWall 3.0, 4.0)", + "INSTRUCTION RESTORE FILE.TXT", + "# HELP_DECRYPT_YOUR_FILES #.TXT", + "_HELP_INSTRUCTION.TXT", + "C:\\ProgramData\\[random].exe", + "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nempty01@techmail.info\n\nempty02@yahooweb.co\n\nempty003@protonmail.com\n\nWe will help You as soon as possible!\n\nDECRYPT-ID-[id] number", + "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]", + "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nxzzx@tuta.io\n\nxzzx1@protonmail.com\n\nxzzx10@yandex.com\n\nxzzx101@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id] number", + "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ntest757@tuta.io\n\ntest757@protonmail.com\n\ntest757xz@yandex.com\n\ntest757xy@yandex.com\n\ntest757@consultant.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number", + "Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number", + "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number" + ], + "refs": [ + "http://www.nyxbone.com/malware/CryptoMix.html", + "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", + "https://twitter.com/JakubKroustek/status/804009831518572544", + "https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomware-variant-released/", + "https://www.bleepingcomputer.com/news/security/0000-cryptomix-ransomware-variant-released/", + "https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-variant-released/", + "https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/", + "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", + "https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/" + ] + }, + "uuid": "c76110ea-15f1-4adf-a28d-c707374dbb3a" + }, + { + "value": "CryptoRansomeware", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/817672617658347521" + ] + }, + "uuid": "de53f392-8794-43d1-a38b-c0b90c20a3fb" + }, + { + "value": "CryptoRoger", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crptrgr" + ], + "encryption": "AES", + "ransomnotes": [ + "!Where_are_my_files!.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-ransomware-called-cryptoroger-that-appends-crptrgr-to-encrypted-files/" + ] + }, + "uuid": "b6fe71ba-b0f4-4cc4-b84c-d3d80a37eada" + }, + { + "value": "CryptoShadow", + "description": "Ransomware", + "meta": { + "extensions": [ + ".doomed" + ], + "ransomnotes": [ + "LEER_INMEDIATAMENTE.txt" + ], + "refs": [ + "https://twitter.com/struppigel/status/821992610164277248" + ] + }, + "uuid": "b11563ce-cced-4c8b-a3a1-0c4ff76aa0ef" + }, + { + "value": "CryptoShocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES", + "ransomnotes": [ + "ATTENTION.url" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/617601/cryptoshocker-ransomware-help-and-support-topic-locked-attentionurl/" + ] + }, + "uuid": "545b4b25-763a-4a5c-8dda-12142c00422c" + }, + { + "value": "CryptoTorLocker2015", + "description": "Ransomware", + "meta": { + "extensions": [ + ".CryptoTorLocker2015!" + ], + "ransomnotes": [ + "HOW TO DECRYPT FILES.txt", + "%Temp%\\.bmp" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/" + ] + }, + "uuid": "06ec3640-4b93-4e79-a8ec-e24b3d349dd5" + }, + { + "value": "CryptoTrooper", + "description": "Ransomware", + "meta": { + "encryption": "AES", + "refs": [ + "http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml" + ] + }, + "uuid": "13fdf55f-46f7-4635-96b8-b4806c78a80c" + }, + { + "value": "CryptoWall 1", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "DECRYPT_INSTRUCTION.HTM", + "DECRYPT_INSTRUCTION.TXT", + "DECRYPT_INSTRUCTION.URL", + "INSTALL_TOR.URL" + ] + }, + "uuid": "5559fbc1-52c6-469c-be97-8f8344765577" + }, + { + "value": "CryptoWall 2", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "HELP_DECRYPT.TXT", + "HELP_DECRYPT.PNG", + "HELP_DECRYPT.URL", + "HELP_DECRYPT.HTML" + ] + }, + "uuid": "f2780d22-4410-4a2f-a1c3-f43807ed1f19" + }, + { + "value": "CryptoWall 3", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "HELP_DECRYPT.TXT", + "HELP_DECRYPT.PNG", + "HELP_DECRYPT.URL", + "HELP_DECRYPT.HTML" + ], + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/", + "https://www.virustotal.com/en/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/" + ] + }, + "uuid": "9d35fe47-5f8c-494c-a74f-23a7ac7f44be" + }, + { + "value": "CryptoWall 4", + "description": "Ransomware", + "meta": { + "extensions": [ + "., e.g. ,27p9k967z.x1nep" + ], + "ransomnotes": [ + "HELP_YOUR_FILES.HTML", + "HELP_YOUR_FILES.PNG" + ] + }, + "uuid": "f7c04ce6-dd30-4a94-acd4-9a3125bcb12e" + }, + { + "value": "CryptXXX", + "description": "Ransomware Comes with Bedep", + "meta": { + "synonyms": [ + "CryptProjectXXX" + ], + "extensions": [ + ".crypt" + ], + "ransomnotes": [ + "de_crypt_readme.bmp, .txt, .html" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information" + ] + }, + "uuid": "255aac37-e4d2-4eeb-b8de-143f9c2321bd" + }, + { + "value": "CryptXXX 2.0", + "description": "Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.", + "meta": { + "synonyms": [ + "CryptProjectXXX" + ], + "extensions": [ + ".crypt" + ], + "ransomnotes": [ + ".txt, .html, .bmp" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool", + "http://blogs.cisco.com/security/cryptxxx-technical-deep-dive" + ] + }, + "uuid": "e272d0b5-cdfc-422a-bb78-9214475daec5" + }, + { + "value": "CryptXXX 3.0", + "description": "Ransomware Comes with Bedep", + "meta": { + "synonyms": [ + "UltraDeCrypter", + "UltraCrypter" + ], + "extensions": [ + ".crypt", + ".cryp1", + ".crypz", + ".cryptz", + "random" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/", + "http://blogs.cisco.com/security/cryptxxx-technical-deep-dive" + ] + }, + "uuid": "60a50fe5-53ea-43f0-8a17-e7134f5fc371" + }, + { + "value": "CryptXXX 3.1", + "description": "Ransomware StilerX credential stealing", + "meta": { + "extensions": [ + ".cryp1" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100" + ] + }, + "uuid": "3f5a76ea-6b83-443e-b26f-b2b2d02d90e0" + }, + { + "value": "CryPy", + "description": "Ransomware", + "meta": { + "extensions": [ + ".cry" + ], + "encryption": "AES", + "ransomnotes": [ + "README_FOR_DECRYPT.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-job-imitating-ctb-locker/" + ] + }, + "uuid": "0b0f5f33-1871-461d-8e7e-b5e0ebc82311" + }, + { + "value": "CTB-Faker", + "description": "Ransomware", + "meta": { + "synonyms": [ + "Citroni" + ], + "extensions": [ + ".ctbl", + ".([a-z]{6,7})" + ], + "encryption": "RSA-2048", + "ransomnotes": [ + "AllFilesAreLocked .bmp", + "DecryptAllFiles .txt", + ".html" + ] + }, + "uuid": "6212bf8f-07db-490a-8cef-ac42042076c1" + }, + { + "value": "CTB-Locker WEB", + "description": "Ransomware websites only", + "meta": { + "refs": [ + "https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/", + "https://github.com/eyecatchup/Critroni-php" + ] + }, + "uuid": "555b2c6f-0848-4ac1-9443-e4c20814459a" + }, + { + "value": "CuteRansomware", + "description": "Ransomware Based on my-Little-Ransomware", + "meta": { + "synonyms": [ + "my-Little-Ransomware" + ], + "extensions": [ + ".\u5df2\u52a0\u5bc6", + ".encrypted" + ], + "encryption": "AES-128", + "ransomnotes": [ + "\u4f60\u7684\u6a94\u6848\u88ab\u6211\u5011\u52a0\u5bc6\u5566!!!.txt", + "Your files encrypted by our friends !!! txt" + ], + "refs": [ + "https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool", + "https://github.com/aaaddress1/my-Little-Ransomware" + ] + }, + "uuid": "1a369bbf-6f03-454c-b507-15abe2a8bbb4" + }, + { + "value": "Cyber SpLiTTer Vbs", + "description": "Ransomware Based on HiddenTear", + "meta": { + "synonyms": [ + "CyberSplitter" + ], + "refs": [ + "https://twitter.com/struppigel/status/778871886616862720", + "https://twitter.com/struppigel/status/806758133720698881" + ] + }, + "uuid": "587589df-ee42-43f4-9480-c65d6e1d7e0f" + }, + { + "value": "Death Bitches", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locked" + ], + "ransomnotes": [ + "READ_IT.txt" + ], + "refs": [ + "https://twitter.com/JaromirHorejsi/status/815555258478981121" + ] + }, + "uuid": "0f074c07-613d-43cb-bd5f-37c747d39fe2" + }, + { + "value": "DeCrypt Protect", + "description": "Ransomware", + "meta": { + "extensions": [ + ".html" + ], + "refs": [ + "http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/" + ] + }, + "uuid": "c80c78ae-fc05-44cf-8b47-4d50c103ca70" + }, + { + "value": "DEDCryptor", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".ded" + ], + "encryption": "AES-256", + "refs": [ + "http://www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded-help-support-topic/", + "http://www.nyxbone.com/malware/DEDCryptor.html" + ] + }, + "uuid": "496b6c3c-771a-46cd-8e41-ce7c4168ae20" + }, + { + "value": "Demo", + "description": "Ransomware only encrypts .jpg files", + "meta": { + "extensions": [ + ".encrypted" + ], + "ransomnotes": [ + "HELP_YOUR_FILES.txt" + ], + "refs": [ + "https://twitter.com/struppigel/status/798573300779745281" + ] + }, + "uuid": "b314d86f-92bb-4be3-b32a-19d6f8eb55d4" + }, + { + "value": "DetoxCrypto", + "description": "Ransomware - Based on Detox: Calipso, We are all Pokemons, Nullbyte", + "meta": { + "encryption": "AES", + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/" + ] + }, + "uuid": "be094d75-eba8-4ff3-91f1-f8cde687e5ed" + }, + { + "value": "Digisom", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Digisom Readme0.txt (0 to 9)" + ], + "refs": [ + "https://twitter.com/PolarToffee/status/829727052316160000" + ] + }, + "uuid": "c5b2a0bc-352f-481f-8c35-d378754793c0" + }, + { + "value": "DirtyDecrypt", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/demonslay335/status/752586334527709184" + ] + }, + "uuid": "5ad8a530-3ab9-48b1-9a75-e1e97b3f77ec" + }, + { + "value": "DMALocker", + "description": "Ransomware no extension change Encrypted files have prefix: Version 1: ABCXYZ11 - Version 2: !DMALOCK - Version 3: !DMALOCK3.0 - Version 4: !DMALOCK4.0", + "meta": { + "encryption": "AES-256 in ECB mode, Version 2-4 also RSA", + "ransomnotes": [ + "cryptinfo.txt", + "decrypting.txt", + "start.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/", + "https://github.com/hasherezade/dma_unlocker", + "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", + "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/" + ] + }, + "uuid": "407ebc7c-5b05-488f-862f-b2bf6c562372" + }, + { + "value": "DMALocker 3.0", + "description": "Ransomware", + "meta": { + "encryption": "AES-256 + XPTLOCK5.0", + "refs": [ + "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", + "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/" + ] + }, + "uuid": "ba39be57-c138-48d5-b46b-d996ff899ffa" + }, + { + "value": "DNRansomware", + "description": "Ransomware Code to decrypt: 83KYG9NW-3K39V-2T3HJ-93F3Q-GT", + "meta": { + "extensions": [ + ".fucked" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/822500056511213568" + ] + }, + "uuid": "45cae006-5d14-4c95-bb5b-dcf5555d7c78" + }, + { + "value": "Domino", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".domino" + ], + "encryption": "AES-256", + "ransomnotes": [ + "README_TO_RECURE_YOUR_FILES.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/Domino.html", + "http://www.bleepingcomputer.com/news/security/the-curious-case-of-the-domino-ransomware-a-windows-crack-and-a-cow/" + ] + }, + "uuid": "7cb20800-2033-49a4-bdf8-a7da5a24f7f1" + }, + { + "value": "DoNotChange", + "description": "Ransomware", + "meta": { + "extensions": [ + ".id-7ES642406.cry", + ".Do_not_change_the_filename" + ], + "encryption": "AES-128", + "ransomnotes": [ + "HOW TO DECODE FILES!!!.txt", + "\u041a\u0410\u041a \u0420\u0410\u0421\u0428\u0418\u0424\u0420\u041e\u0412\u0410\u0422\u042c \u0424\u0410\u0419\u041b\u042b!!!.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/" + ] + }, + "uuid": "2e6f4fa6-5fdf-4d69-b764-063d88ba1dd0" + }, + { + "value": "DummyLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".dCrypt" + ], + "refs": [ + "https://twitter.com/struppigel/status/794108322932785158" + ] + }, + "uuid": "55446b3a-fdc7-4c75-918a-2d9fb5cdf3ff" + }, + { + "value": "DXXD", + "description": "Ransomware", + "meta": { + "extensions": [ + ".dxxd" + ], + "ransomnotes": [ + "ReadMe.TxT" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/", + "https://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal-notice-before-users-login/" + ] + }, + "uuid": "57108b9e-5af8-4797-9924-e424cb5e9903" + }, + { + "value": "HiddenTear", + "description": "Ransomware Open sourced C#", + "meta": { + "synonyms": [ + "Cryptear", + "EDA2" + ], + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "refs": [ + "http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html" + ] + }, + "uuid": "254f4f67-d850-4dc5-8ddb-2e955ddea287" + }, + { + "value": "EduCrypt", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "synonyms": [ + "EduCrypter" + ], + "extensions": [ + ".isis", + ".locked" + ], + "ransomnotes": [ + "README.txt" + ], + "refs": [ + "http://www.filedropper.com/decrypter_1", + "https://twitter.com/JakubKroustek/status/747031171347910656" + ] + }, + "uuid": "826a341a-c329-4e1e-bc9f-5d44c8317557" + }, + { + "value": "EiTest", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypted" + ], + "refs": [ + "https://twitter.com/BroadAnalysis/status/845688819533930497", + "https://twitter.com/malwrhunterteam/status/845652520202616832" + ] + }, + "uuid": "0a24ea0d-3f8a-428a-8b77-ef5281c1ee05" + }, + { + "value": "El-Polocker", + "description": "Ransomware Has a GUI", + "meta": { + "synonyms": [ + "Los Pollos Hermanos" + ], + "extensions": [ + ".ha3" + ], + "ransomnotes": [ + "qwer.html", + "qwer2.html", + "locked.bmp" + ] + }, + "uuid": "63d9cb32-a1b9-46c3-818a-df16d8b9e46a" + }, + { + "value": "Encoder.xxxx", + "description": "Ransomware Coded in GO", + "meta": { + "synonyms": [ + "Trojan.Encoder.6491" + ], + "ransomnotes": [ + "Instructions.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/", + "http://vms.drweb.ru/virus/?_is=1&i=8747343" + ] + }, + "uuid": "f855609e-b7ab-41e8-aafa-62016f8f4e1a" + }, + { + "value": "encryptoJJS", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "ransomnotes": [ + "How to recover.enc" + ] + }, + "uuid": "3e5deef2-bace-40bc-beb1-5d9009233667" + }, + { + "value": "Enigma", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enigma", + ".1txt" + ], + "encryption": "AES-128", + "ransomnotes": [ + "enigma.hta", + "enigma_encr.txt", + "enigma_info.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/" + ] + }, + "uuid": "1b24d240-df72-4388-946b-efa07a9447bb" + }, + { + "value": "Enjey", + "description": "Ransomware Based on RemindMe", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/839022018230112256" + ] + }, + "uuid": "198891fb-26a4-455a-9719-4130bedba103" + }, + { + "value": "Fairware", + "description": "Ransomware Target Linux O.S.", + "meta": { + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/" + ] + }, + "uuid": "6771b42f-1d95-4b2e-bbb5-9ab703bbaa9d" + }, + { + "value": "Fakben", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".locked" + ], + "ransomnotes": [ + "READ ME FOR DECRYPT.txt" + ], + "refs": [ + "https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code" + ] + }, + "uuid": "c308346a-2746-4900-8149-464a09086b55" + }, + { + "value": "FakeCryptoLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".cryptolocker" + ], + "refs": [ + "https://twitter.com/PolarToffee/status/812312402779836416" + ] + }, + "uuid": "abddc01f-7d76-47d4-985d-ea6d16acccb1" + }, + { + "value": "Fantom", + "description": "Ransomware Based on EDA2", + "meta": { + "synonyms": [ + "Comrad Circle" + ], + "extensions": [ + ".fantom", + ".comrade" + ], + "encryption": "AES-128", + "ransomnotes": [ + "DECRYPT_YOUR_FILES.HTML", + "RESTORE-FILES![id]" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/" + ] + }, + "uuid": "35be87a5-b498-4693-8b8d-8b17864ac088" + }, + { + "value": "FenixLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".FenixIloveyou!!" + ], + "ransomnotes": [ + "Help to decrypt.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/fenixlocker", + "https://twitter.com/fwosar/status/777197255057084416" + ] + }, + "uuid": "f9f54046-ed5d-4353-8b81-d92b51f596b4" + }, + { + "value": "FILE FROZR", + "description": "Ransomware RaaS", + "meta": { + "refs": [ + "https://twitter.com/rommeljoven17/status/846973265650335744" + ] + }, + "uuid": "2a50f476-7355-4d58-b0ce-4235b2546c90" + }, + { + "value": "FileLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".ENCR" + ], + "refs": [ + "https://twitter.com/jiriatvirlab/status/836616468775251968" + ] + }, + "uuid": "b92bc550-7edb-4f8f-96fc-cf47d437df32" + }, + { + "value": "FireCrypt", + "description": "Ransomware", + "meta": { + "extensions": [ + ".firecrypt" + ], + "encryption": "AES-256", + "ransomnotes": [ + "[random_chars]-READ_ME.html" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" + ] + }, + "uuid": "721ba430-fd28-454c-8512-24339ef2235f" + }, + { + "value": "Flyper", + "description": "Ransomware Based on EDA2 / HiddenTear", + "meta": { + "extensions": [ + ".locked" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/773771485643149312" + ] + }, + "uuid": "1a110f7e-8820-4a9a-86c0-db4056f0b911" + }, + { + "value": "Fonco", + "description": "Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents", + "meta": { + "ransomnotes": [ + "help-file-decrypt.enc", + "/pronk.txt" + ] + }, + "uuid": "3d75cb84-2f14-408d-95bd-f1316bf854e6" + }, + { + "value": "FortuneCookie ", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/842302481774321664" + ] + }, + "uuid": "2db3aafb-b219-4b52-8dfe-ce41416ebeab" + }, + { + "value": "Free-Freedom", + "description": "Ransomware Unlock code is: adam or adamdude9", + "meta": { + "synonyms": [ + "Roga" + ], + "extensions": [ + ".madebyadam" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/812135608374226944" + ] + }, + "uuid": "175ebcc0-d74f-49b2-9226-c660ca1fe2e8" + }, + { + "value": "FSociety", + "description": "Ransomware Based on EDA2 and RemindMe", + "meta": { + "extensions": [ + ".fs0ciety", + ".dll" + ], + "ransomnotes": [ + "fs0ciety.html", + "DECRYPT_YOUR_FILES.HTML" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-help-support-fs0cietyhtml/", + "http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homage-to-mr-robot/", + "https://twitter.com/siri_urz/status/795969998707720193" + ] + }, + "uuid": "d1e7c0d9-3c96-41b7-a4a2-7eaef64d7b0f" + }, + { + "value": "Fury", + "description": "Ransomware", + "meta": { + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547" + ] + }, + "uuid": "291997b1-72b6-43ea-9365-b4d55eddca71" + }, + { + "value": "GhostCrypt", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".Z81928819" + ], + "encryption": "AES-256", + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip", + "http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-this-filetxt/" + ] + }, + "uuid": "3b681f76-b0e4-4ba7-a113-5dd87d6ee53b" + }, + { + "value": "Gingerbread", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/ni_fi_70/status/796353782699425792" + ] + }, + "uuid": "c6419971-47f8-4c80-a685-77292ff30fa7" + }, + { + "value": "Globe v1", + "description": "Ransomware", + "meta": { + "synonyms": [ + "Purge" + ], + "extensions": [ + ".purge" + ], + "encryption": "Blowfish", + "ransomnotes": [ + "How to restore files.hta" + ], + "refs": [ + "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221", + "http://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/" + ] + }, + "uuid": "b247b6e5-f51b-4bb5-8f5a-1628843abe99" + }, + { + "value": "GNL Locker", + "description": "Ransomware Only encrypts DE or NL country. Variants, from old to latest: Zyklon Locker, WildFire locker, Hades Locker", + "meta": { + "extensions": [ + ".locked", + ".locked, e.g., bill.!ID!8MMnF!ID!.locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "UNLOCK_FILES_INSTRUCTIONS.html and .txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/" + ] + }, + "uuid": "390abe30-8b9e-439e-a6d3-2ee978f05fba" + }, + { + "value": "Gomasom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypt", + "!___[EMAILADDRESS]_.crypt" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + }, + "uuid": "70b85861-f419-4ad5-9aa6-254db292e043" + }, + { + "value": "Goopic", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Your files have been crypted.html" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" + ] + }, + "uuid": "3229a370-7a09-4b93-ad89-9555a847b1dd" + }, + { + "value": "Gopher", + "description": "Ransomware OS X ransomware (PoC)", + "uuid": "ec461b8a-5390-4304-9d2a-a20c7ed6a9db" + }, + { + "value": "Hacked", + "description": "Ransomware Jigsaw Ransomware variant", + "meta": { + "extensions": [ + ".versiegelt", + ".encrypted", + ".payrmts", + ".locked", + ".Locked" + ], + "refs": [ + "https://twitter.com/demonslay335/status/806878803507101696" + ] + }, + "uuid": "7f2df0cd-5962-4687-90a2-a49eab2b12bc" + }, + { + "value": "HappyDayzz", + "description": "Ransomware", + "meta": { + "encryption": "3DES, AES-128, AES-192, AES-256, DES, RC2, RC4", + "refs": [ + "https://twitter.com/malwrhunterteam/status/847114064224497666" + ] + }, + "uuid": "e71c76f3-8274-4ec5-ac11-ac8b8286d069" + }, + { + "value": "Harasom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".html" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + }, + "uuid": "5cadd11c-002a-4062-bafd-aadb7d740f59" + }, + { + "value": "HDDCryptor", + "description": "Ransomware Uses https://diskcryptor.net for full disk encryption", + "meta": { + "synonyms": [ + "Mamba" + ], + "encryption": "Custom (net shares), XTS-AES (disk)", + "refs": [ + "https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho", + "blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" + ] + }, + "uuid": "95be4cd8-1d98-484f-a328-a5917a05e3c8" + }, + { + "value": "Heimdall", + "description": "Ransomware File marker: \"Heimdall---\"", + "meta": { + "encryption": "AES-128-CBC", + "refs": [ + "https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/" + ] + }, + "uuid": "c6d6ddf0-2afa-4cca-8982-ba2a7c0441ae" + }, + { + "value": "Help_dcfile", + "description": "Ransomware", + "meta": { + "extensions": [ + ".XXX" + ], + "ransomnotes": [ + "help_dcfile.txt" + ] + }, + "uuid": "2fdc6daa-6b6b-41b9-9a25-1030101478c3" + }, + { + "value": "Herbst", + "description": "Ransomware", + "meta": { + "extensions": [ + ".herbst" + ], + "encryption": "AES-256", + "refs": [ + "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" + ] + }, + "uuid": "6489895b-0213-4564-9cfc-777df58d84c9" + }, + { + "value": "Hi Buddy!", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".cry" + ], + "encryption": "AES-256", + "refs": [ + "http://www.nyxbone.com/malware/hibuddy.html" + ] + }, + "uuid": "a0d6563d-1e98-4e49-9151-39fbeb09ef76" + }, + { + "value": "Hitler", + "description": "Ransomware Deletes files", + "meta": { + "extensions": [ + "removes extensions" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/development-version-of-the-hitler-ransomware-discovered/", + "https://twitter.com/jiriatvirlab/status/825310545800740864" + ] + }, + "uuid": "8807752b-bd26-45a7-ba34-c8ddd8e5781d" + }, + { + "value": "HolyCrypt", + "description": "Ransomware", + "meta": { + "extensions": [ + "(encrypted)" + ], + "encryption": "AES", + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/" + ] + }, + "uuid": "c71819a4-f6ce-4265-b0cd-24a98d84321c" + }, + { + "value": "HTCryptor", + "description": "Ransomware Includes a feature to disable the victim's windows firewall Modified in-dev HiddenTear", + "meta": { + "refs": [ + "https://twitter.com/BleepinComputer/status/803288396814839808" + ] + }, + "uuid": "728aecfc-9b99-478f-a0a3-8c0fb6896353" + }, + { + "value": "HydraCrypt", + "description": "Ransomware CrypBoss Family", + "meta": { + "extensions": [ + "hydracrypt_ID_[\\w]{8}" + ], + "ransomnotes": [ + "README_DECRYPT_HYRDA_ID_[ID number].txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/", + "http://www.malware-traffic-analysis.net/2016/02/03/index2.html" + ] + }, + "uuid": "335c3ab6-8f2c-458c-92a3-2f3a09a6064c" + }, + { + "value": "iLock", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crime" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/817085367144873985" + ] + }, + "uuid": "68e90fa4-ea66-4159-b454-5f48fdae3d89" + }, + { + "value": "iLockLight", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crime" + ] + }, + "uuid": "cb374ee8-76c0-4db8-9026-a57a51d9a0a1" + }, + { + "value": "International Police Association", + "description": "Ransomware CryptoTorLocker2015 variant", + "meta": { + "extensions": [ + "<6 random characters>" + ], + "ransomnotes": [ + "%Temp%\\.bmp" + ], + "refs": [ + "http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe" + ] + }, + "uuid": "a66fbb1e-ba59-48c1-aac8-8678b4a98dc1" + }, + { + "value": "iRansom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".Locked" + ], + "refs": [ + "https://twitter.com/demonslay335/status/796134264744083460" + ] + }, + "uuid": "4514ecd4-850d-446f-82cb-0668d2c94ffa" + }, + { + "value": "JagerDecryptor", + "description": "Ransomware Prepends filenames", + "meta": { + "extensions": [ + "!ENC" + ], + "ransomnotes": [ + "Important_Read_Me.html" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/757873976047697920" + ] + }, + "uuid": "25a086aa-e25c-4190-a848-69d9f46fd8ab" + }, + { + "value": "Jeiphoos", + "description": "Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.", + "meta": { + "synonyms": [ + "Encryptor RaaS", + "Sarento" + ], + "encryption": "RC6 (files), RSA 2048 (RC6 key)", + "ransomnotes": [ + "readme_liesmich_encryptor_raas.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/RaaS.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-and-fall-of-encryptor-raas/" + ] + }, + "uuid": "50014fe7-5efd-4639-82ef-30d36f4d2918" + }, + { + "value": "Jhon Woddy", + "description": "Ransomware Same codebase as DNRansomware Lock screen password is M3VZ>5BwGGVH", + "meta": { + "extensions": [ + ".killedXXX" + ], + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip", + "https://twitter.com/BleepinComputer/status/822509105487245317" + ] + }, + "uuid": "fedd7285-d4bd-4411-985e-087954cee96d" + }, + { + "value": "Jigsaw", + "description": "Ransomware Has a GUI", + "meta": { + "synonyms": [ + "CryptoHitMan" + ], + "extensions": [ + ".btc", + ".kkk", + ".fun", + ".gws", + ".porno", + ".payransom", + ".payms", + ".paymst", + ".AFD", + ".paybtcs", + ".epic", + ".xyz", + ".encrypted", + ".hush", + ".paytounlock", + ".uk-dealer@sigaint.org", + ".gefickt", + ".nemo-hacks.at.sigaint.org" + ], + "encryption": "AES-256", + "refs": [ + "http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/", + "https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/", + "https://twitter.com/demonslay335/status/795819556166139905" + ] + }, + "uuid": "1e3384ae-4b48-4c96-b7c2-bc1cc1eda203" + }, + { + "value": "Job Crypter", + "description": "Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC", + "meta": { + "extensions": [ + ".locked", + ".css" + ], + "encryption": "TripleDES", + "ransomnotes": [ + "Comment d\u00e9bloquer mes fichiers.txt", + "Readme.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/jobcrypter.html", + "http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html", + "https://twitter.com/malwrhunterteam/status/828914052973858816" + ] + }, + "uuid": "7c9a273b-1534-4a13-b201-b7a782b6c32a" + }, + { + "value": "JohnyCryptor", + "description": "Ransomware", + "uuid": "5af5be3e-549f-4485-8c2e-1459d4e5c7d7" + }, + { + "value": "KawaiiLocker", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "How Decrypt Files.txt" + ], + "refs": [ + "https://safezone.cc/resources/kawaii-decryptor.195/" + ] + }, + "uuid": "b6d0ea4d-4e55-4b42-9d60-485d605d6c49" + }, + { + "value": "KeRanger", + "description": "Ransomware OS X Ransomware", + "meta": { + "extensions": [ + ".encrypted" + ], + "encryption": "AES", + "refs": [ + "http://news.drweb.com/show/?i=9877&lng=en&c=5", + "http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/" + ] + }, + "uuid": "63292b32-9867-4fb2-9e59-d4983d4fd5d1" + }, + { + "value": "KeyBTC", + "description": "Ransomware", + "meta": { + "extensions": [ + "keybtc@inbox_com" + ], + "ransomnotes": [ + "DECRYPT_YOUR_FILES.txt", + "READ.txt", + "readme.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/" + ] + }, + "uuid": "3964e617-dde5-4c95-b4a0-e7c19c6e7d7f" + }, + { + "value": "KEYHolder", + "description": "Ransomware via remote attacker. tuyuljahat@hotmail.com contact address", + "meta": { + "ransomnotes": [ + "how_decrypt.gif", + "how_decrypt.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml" + ] + }, + "uuid": "66eda328-9408-4e98-ad27-572fd6b2acd8" + }, + { + "value": "KillerLocker", + "description": "Ransomware Possibly Portuguese dev", + "meta": { + "extensions": [ + ".rip" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/782232299840634881" + ] + }, + "uuid": "ea8e7350-f243-4ef7-bc31-4648df8a4d96" + }, + { + "value": "KimcilWare", + "description": "Ransomware websites only", + "meta": { + "extensions": [ + ".kimcilware", + ".locked" + ], + "encryption": "AES", + "refs": [ + "https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it", + "http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/" + ] + }, + "uuid": "950e2514-8a7e-4fdb-a3ad-5679f6342e5d" + }, + { + "value": "Korean", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".\uc554\ud638\ud654\ub428" + ], + "encryption": "AES-256", + "ransomnotes": [ + "ReadMe.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/koreanRansom.html" + ] + }, + "uuid": "4febffe0-3837-41d7-b95f-e26d126275e4" + }, + { + "value": "Kozy.Jozy", + "description": "Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com", + "meta": { + "synonyms": [ + "QC" + ], + "extensions": [ + ".31392E30362E32303136_[ID-KEY]_LSBJ1", + ".([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5})" + ], + "encryption": "RSA-2048", + "ransomnotes": [ + "w.jpg" + ], + "refs": [ + "http://www.nyxbone.com/malware/KozyJozy.html", + "http://www.bleepingcomputer.com/forums/t/617802/kozyjozy-ransomware-help-support-wjpg-31392e30362e32303136-num-lsbj1/" + ] + }, + "uuid": "47b5d261-11bd-4c7b-91f9-e5651578026a" + }, + { + "value": "KratosCrypt", + "description": "Ransomware kratosdimetrici@gmail.com", + "meta": { + "extensions": [ + ".kratos" + ], + "ransomnotes": [ + "README_ALL.html" + ], + "refs": [ + "https://twitter.com/demonslay335/status/746090483722686465" + ] + }, + "uuid": "cc819741-830b-4859-bb7c-ccedf3356acd" + }, + { + "value": "KryptoLocker", + "description": "Ransomware Based on HiddenTear", + "meta": { + "encryption": "AES-256", + "ransomnotes": [ + "KryptoLocker_README.txt" + ] + }, + "uuid": "e68d4f37-704a-4f8e-9718-b12039fbe424" + }, + { + "value": "LanRan", + "description": "Ransomware Variant of open-source MyLittleRansomware", + "meta": { + "ransomnotes": [ + "@__help__@" + ], + "refs": [ + "https://twitter.com/struppigel/status/847689644854595584" + ] + }, + "uuid": "9e152871-fb16-475d-bf3b-f3b870d0237a" + }, + { + "value": "LeChiffre", + "description": "Ransomware Encrypts first 0x2000 and last 0x2000 bytes. Via remote attacker", + "meta": { + "extensions": [ + ".LeChiffre" + ], + "ransomnotes": [ + "How to decrypt LeChiffre files.html" + ], + "refs": [ + "https://decrypter.emsisoft.com/lechiffre", + "https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/" + ] + }, + "uuid": "ea1ba874-07e6-4a6d-82f0-e4ce4210e34e" + }, + { + "value": "Lick", + "description": "Ransomware Variant of Kirk", + "meta": { + "extensions": [ + ".Licked" + ], + "ransomnotes": [ + "RANSOM_NOTE.txt" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/842404866614038529" + ] + }, + "uuid": "f2e76070-0cea-4c9c-8d6b-1d847e777575" + }, + { + "value": "Linux.Encoder", + "description": "Ransomware Linux Ransomware", + "meta": { + "synonyms": [ + "Linux.Encoder.{0,3}" + ], + "refs": [ + "https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/" + ] + }, + "uuid": "b4992483-a693-4e73-b39e-0f45c9f645b5" + }, + { + "value": "LK Encryption", + "description": "Ransomware Based on HiddenTear", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/845183290873044994" + ] + }, + "uuid": "af52badb-3211-42b0-a1ac-e4d35d5829d7" + }, + { + "value": "LLTP Locker", + "description": "Ransomware Targeting Spanish speaking victims", + "meta": { + "extensions": [ + ".ENCRYPTED_BY_LLTP", + ".ENCRYPTED_BY_LLTPp" + ], + "encryption": "AES-256", + "ransomnotes": [ + "LEAME.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/" + ] + }, + "uuid": "0cec6928-80c7-4085-ba47-cdc52177dfd3" + }, + { + "value": "Locker", + "description": "Ransomware has GUI", + "meta": { + "refs": [ + "http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545" + ] + }, + "uuid": "abc7883c-244a-44ac-9c86-559dafa4eb63" + }, + { + "value": "LockLock", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locklock" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_ME.TXT" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/626750/locklock-ransomware-locklock-help-support/" + ] + }, + "uuid": "7850bf92-394b-443b-8830-12f9ddbb50dc" + }, + { + "value": "Locky", + "description": "Ransomware Affiliations with Dridex and Necurs botnets", + "meta": { + "extensions": [ + ".locky", + ".zepto", + ".odin", + ".shit", + ".thor", + ".aesir", + ".zzzzz", + ".osiris", + "([A-F0-9]{32}).locky", + "([A-F0-9]{32}).zepto", + "([A-F0-9]{32}).odin", + "([A-F0-9]{32}).shit", + "([A-F0-9]{32}).thor", + "([A-F0-9]{32}).aesir", + "([A-F0-9]{32}).zzzzz", + "([A-F0-9]{32}).osiris", + ".lukitus" + ], + "encryption": "AES-128", + "ransomnotes": [ + "_Locky_recover_instructions.txt", + "_Locky_recover_instructions.bmp", + "_HELP_instructions.txt", + "_HELP_instructions.bmp", + "_HOWDO_text.html", + "_WHAT_is.html", + "_INSTRUCTION.html", + "DesktopOSIRIS.(bmp|htm)", + "OSIRIS-[0-9]{4}.htm", + "lukitus.htm", + "lukitus.bmp." + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-locky-ransomware-spotted-in-the-brazilian-underground-market-uses-windows-script-files/", + "https://nakedsecurity.sophos.com/2016/10/06/odin-ransomware-takes-over-from-zepto-and-locky/", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/" + ] + }, + "uuid": "8d51a22e-3485-4480-af96-8ed0305a7aa6" + }, + { + "value": "Lortok", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crime" + ] + }, + "uuid": "bc23872a-7cd3-4a66-9d25-6b4e6f90cc4e" + }, + { + "value": "LowLevel04", + "description": "Ransomware Prepends filenames", + "meta": { + "extensions": [ + "oor." + ] + }, + "uuid": "d4fb0463-6cd1-45ac-a7d2-6eea8be39590" + }, + { + "value": "M4N1F3STO", + "description": "Ransomware Does not encrypt Unlock code=suckmydicknigga", + "meta": { + "refs": [ + "https://twitter.com/jiriatvirlab/status/808015275367002113" + ] + }, + "uuid": "f5d19af8-1c85-408b-818e-db50208d62b1" + }, + { + "value": "Mabouia", + "description": "Ransomware OS X ransomware (PoC)", + "uuid": "f9214319-6ad4-4c4e-bc6d-fb710f61da48" + }, + { + "value": "MacAndChess", + "description": "Ransomware Based on HiddenTear", + "uuid": "fae8bf6e-47d1-4449-a1c6-761a4970fc38" + }, + { + "value": "Magic", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".magic" + ], + "encryption": "AES-256", + "ransomnotes": [ + "DECRYPT_ReadMe1.TXT", + "DECRYPT_ReadMe.TXT" + ] + }, + "uuid": "31fa83fc-8247-4347-940a-e463acd66bac" + }, + { + "value": "MaktubLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + "[a-z]{4,6}" + ], + "encryption": "AES-256 + RSA-2048", + "ransomnotes": [ + "_DECRYPT_INFO_[extension pattern].html" + ], + "refs": [ + "https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" + ] + }, + "uuid": "ef6ceb04-243e-4783-b476-8e8e9f06e8a7" + }, + { + "value": "MarsJoke", + "description": "Ransomware", + "meta": { + "extensions": [ + ".a19", + ".ap19" + ], + "ransomnotes": [ + "!!! Readme For Decrypt !!!.txt", + "ReadMeFilesDecrypt!!!.txt" + ], + "refs": [ + "https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/", + "https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker" + ] + }, + "uuid": "933bd53f-5ccf-4262-a70c-c01a6f05af3e" + }, + { + "value": "Meister", + "description": "Ransomware Targeting French victims", + "meta": { + "refs": [ + "https://twitter.com/siri_urz/status/840913419024945152" + ] + }, + "uuid": "ce5a82ef-d2a3-405c-ac08-3dca71057eb5" + }, + { + "value": "Meteoritan", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "where_are_your_files.txt", + "readme_your_files_have_been_encrypted.txt" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/844614889620561924" + ] + }, + "uuid": "34f292d9-cb68-4bcf-a3db-a717362aca77" + }, + { + "value": "MIRCOP", + "description": "Ransomware Prepends files Demands 48.48 BTC", + "meta": { + "synonyms": [ + "Crypt888" + ], + "extensions": [ + "Lock." + ], + "encryption": "AES", + "refs": [ + "http://www.bleepingcomputer.com/forums/t/618457/microcop-ransomware-help-support-lock-mircop/", + "https://www.avast.com/ransomware-decryption-tools#!", + "http://blog.trendmicro.com/trendlabs-security-intelligence/instruction-less-ransomware-mircop-channels-guy-fawkes/", + "http://www.nyxbone.com/malware/Mircop.html" + ] + }, + "uuid": "7dd326a5-1168-4309-98b1-f2146d9cf8c7" + }, + { + "value": "MireWare", + "description": "Ransomware Based on HiddenTear", + "meta": { + "extensions": [ + ".fucked", + ".fuck" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_IT.txt" + ] + }, + "uuid": "9f01ded7-99f6-4863-b3a3-9d32aabf96c3" + }, + { + "value": "Mischa", + "description": "Ransomware Packaged with Petya PDFBewerbungsmappe.exe", + "meta": { + "synonyms": [ + "\"Petya's little brother\"" + ], + "extensions": [ + ".([a-zA-Z0-9]{4})" + ], + "ransomnotes": [ + "YOUR_FILES_ARE_ENCRYPTED.HTML", + "YOUR_FILES_ARE_ENCRYPTED.TXT " + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/" + ] + }, + "uuid": "a029df89-2bb1-409d-878b-a67572217a65" + }, + { + "value": "MM Locker", + "description": "Ransomware Based on EDA2", + "meta": { + "synonyms": [ + "Booyah" + ], + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_IT.txt" + ], + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" + ] + }, + "uuid": "b95aa3fb-9f32-450e-8058-67d94f196913" + }, + { + "value": "Mobef", + "description": "Ransomware", + "meta": { + "synonyms": [ + "Yakes", + "CryptoBit" + ], + "extensions": [ + ".KEYZ", + ".KEYH0LES" + ], + "ransomnotes": [ + "4-14-2016-INFECTION.TXT", + "IMPORTANT.README" + ], + "refs": [ + "http://nyxbone.com/malware/Mobef.html", + "http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/", + "http://nyxbone.com/images/articulos/malware/mobef/0.png" + ] + }, + "uuid": "681f212a-af1b-4e40-a718-81b0dc46dc52" + }, + { + "value": "Monument", + "description": "Ransomware Use the DarkLocker 5 porn screenlocker - Jigsaw variant", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/844826339186135040" + ] + }, + "uuid": "2702fb96-8118-4519-bd75-23eed40f25e9" + }, + { + "value": "N-Splitter", + "description": "Ransomware Russian Koolova Variant", + "meta": { + "extensions": [ + ".\u043a\u0438\u0431\u0435\u0440 \u0440\u0430\u0437\u0432\u0435\u0442\u0432\u0438\u0442\u0435\u043b\u044c" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/815961663644008448", + "https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q" + ] + }, + "uuid": "8ec55495-fb31-49c7-a720-40250b5e085f" + }, + { + "value": "n1n1n1", + "description": "Ransomware Filemaker: \"333333333333\"", + "meta": { + "ransomnotes": [ + "decrypt explanations.html" + ], + "refs": [ + "https://twitter.com/demonslay335/status/790608484303712256", + "https://twitter.com/demonslay335/status/831891344897482754" + ] + }, + "uuid": "a439b37b-e123-4b1d-9400-94aca70b223a" + }, + { + "value": "NanoLocker", + "description": "Ransomware no extension change, has a GUI", + "meta": { + "encryption": "AES-256 + RSA", + "ransomnotes": [ + "ATTENTION.RTF" + ], + "refs": [ + "http://github.com/Cyberclues/nanolocker-decryptor" + ] + }, + "uuid": "03a91686-c607-49a8-a4e2-2054833c0013" + }, + { + "value": "Nemucod", + "description": "Ransomware 7zip (a0.exe) variant cannot be decrypted Encrypts the first 2048 Bytes", + "meta": { + "extensions": [ + ".crypted" + ], + "encryption": "XOR(255) + 7zip", + "ransomnotes": [ + "Decrypted.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/nemucod", + "https://github.com/Antelox/NemucodFR", + "http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/", + "https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/" + ] + }, + "uuid": "f1ee9ae8-b798-4e6f-8f98-874395d0fa18" + }, + { + "value": "Netix", + "description": "Ransomware", + "meta": { + "synonyms": [ + "RANSOM_NETIX.A" + ], + "extensions": [ + "AES-256" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/" + ] + }, + "uuid": "5d3ec71e-9e0f-498a-aa33-0433799e80b4" + }, + { + "value": "Nhtnwcuf", + "description": "Ransomware Does not encrypt the files / Files are destroyed", + "meta": { + "ransomnotes": [ + "!_RECOVERY_HELP_!.txt", + "HELP_ME_PLEASE.txt" + ], + "refs": [ + "https://twitter.com/demonslay335/status/839221457360195589" + ] + }, + "uuid": "1d8e8ca3-da2a-494c-9db3-5b1b6277c363" + }, + { + "value": "NMoreira", + "description": "Ransomware", + "meta": { + "synonyms": [ + "XRatTeam", + "XPan" + ], + "extensions": [ + ".maktub", + ".__AiraCropEncrypted!" + ], + "encryption": "mix of RSA and AES-256", + "ransomnotes": [ + "Recupere seus arquivos. Leia-me!.txt" + ], + "refs": [ + "https://decrypter.emsisoft.com/nmoreira", + "https://twitter.com/fwosar/status/803682662481174528" + ] + }, + "uuid": "51f00a39-f4b9-4ed2-ba0d-258c6bf3f71a" + }, + { + "value": "NoobCrypt", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/JakubKroustek/status/757267550346641408", + "https://www.bleepingcomputer.com/news/security/noobcrypt-ransomware-dev-shows-noobness-by-using-same-password-for-everyone/" + ] + }, + "uuid": "aeb76911-ed45-4bf2-9a60-e023386e02a4" + }, + { + "value": "Nuke", + "description": "Ransomware", + "meta": { + "extensions": [ + ".nuclear55" + ], + "encryption": "AES", + "ransomnotes": [ + "!!_RECOVERY_instructions_!!.html", + "!!_RECOVERY_instructions_!!.txt" + ] + }, + "uuid": "e0bcb7d2-6032-43a0-b490-c07430d8a598" + }, + { + "value": "Nullbyte", + "description": "Ransomware", + "meta": { + "extensions": [ + "_nullbyte" + ], + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip", + "https://www.bleepingcomputer.com/news/security/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/" + ] + }, + "uuid": "460b700b-5d03-43f9-99e7-916ff180a036" + }, + { + "value": "ODCODC", + "description": "Ransomware", + "meta": { + "extensions": [ + ".odcodc", + "C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc" + ], + "encryption": "XOR", + "ransomnotes": [ + "HOW_TO_RESTORE_FILES.txt" + ], + "refs": [ + "http://download.bleepingcomputer.com/BloodDolly/ODCODCDecoder.zip", + "http://www.nyxbone.com/malware/odcodc.html", + "https://twitter.com/PolarToffee/status/813762510302183424", + "http://www.nyxbone.com/images/articulos/malware/odcodc/1c.png" + ] + }, + "uuid": "f90724e4-c148-4479-ae1a-109498b4688f" + }, + { + "value": "Offline ransomware", + "description": "Ransomware email addresses overlap with .777 addresses", + "meta": { + "synonyms": [ + "Vipasana", + "Cryakl" + ], + "extensions": [ + ".cbf", + "email-[params].cbf" + ], + "ransomnotes": [ + "desk.bmp", + "desk.jpg" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547", + "http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html" + ] + }, + "uuid": "3c51fc0e-42d8-4ff0-b1bd-5c8c20271a39" + }, + { + "value": "OMG! Ransomware", + "description": "Ransomware", + "meta": { + "synonyms": [ + "GPCode" + ], + "extensions": [ + ".LOL!", + ".OMG!" + ], + "ransomnotes": [ + "how to get data.txt" + ] + }, + "uuid": "7914f9c9-3257-464c-b918-3754c4d018af" + }, + { + "value": "Operation Global III", + "description": "Ransomware Is a file infector (virus)", + "meta": { + "extensions": [ + ".EXE" + ], + "refs": [ + "http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/" + ] + }, + "uuid": "e5800883-c663-4eb0-b05e-6034df5bc6e0" + }, + { + "value": "Owl", + "description": "Ransomware", + "meta": { + "synonyms": [ + "CryptoWire" + ], + "extensions": [ + "dummy_file.encrypted", + "dummy_file.encrypted.[extension]" + ], + "ransomnotes": [ + "log.txt" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/842342996775448576" + ] + }, + "uuid": "4bb11db7-17a0-4536-b817-419ae6299004" + }, + { + "value": "PadCrypt", + "description": "Ransomware has a live support chat", + "meta": { + "extensions": [ + ".padcrypt" + ], + "ransomnotes": [ + "IMPORTANT READ ME.txt", + "File Decrypt Help.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", + "https://twitter.com/malwrhunterteam/status/798141978810732544" + ] + }, + "uuid": "57c5df76-e72f-41b9-be29-89395f83a77c" + }, + { + "value": "Padlock Screenlocker", + "description": "Ransomware Unlock code is: ajVr/G\\ RJz0R", + "meta": { + "refs": [ + "https://twitter.com/BleepinComputer/status/811635075158839296" + ] + }, + "uuid": "8f41c9ce-9bd4-4bbd-96d7-c965d1621be7" + }, + { + "value": "Patcher", + "description": "Ransomware Targeting macOS users", + "meta": { + "extensions": [ + ".crypt" + ], + "ransomnotes": [ + "README!.txt" + ], + "refs": [ + "https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/", + "https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/" + ] + }, + "uuid": "e211ea8d-5042-48ae-86c6-15186d1f8dba" + }, + { + "value": "Petya", + "description": "Ransomware encrypts disk partitions PDFBewerbungsmappe.exe", + "meta": { + "synonyms": [ + "Goldeneye" + ], + "encryption": "Modified Salsa20", + "ransomnotes": [ + "YOUR_FILES_ARE_ENCRYPTED.TXT" + ], + "refs": [ + "http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generator", + "https://www.youtube.com/watch?v=mSqxFjZq_z4", + "https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/", + "https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/" + ] + }, + "uuid": "7c5a1e93-7ab2-4b08-ada9-e82c4feaed0a" + }, + { + "value": "Philadelphia", + "description": "Ransomware Coded by \"The_Rainmaker\"", + "meta": { + "extensions": [ + ".locked", + ".locked" + ], + "encryption": "AES-256", + "refs": [ + "https://decrypter.emsisoft.com/philadelphia", + "www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/" + ] + }, + "uuid": "6fd25982-9cf8-4379-a126-433c91aaadf2" + }, + { + "value": "PizzaCrypts", + "description": "Ransomware", + "meta": { + "extensions": [ + ".id-[victim_id]-maestro@pizzacrypts.info" + ], + "refs": [ + "http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip" + ] + }, + "uuid": "2482122b-1df6-488e-8867-215b165a4f66" + }, + { + "value": "PokemonGO", + "description": "Ransomware Based on Hidden Tear", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "refs": [ + "http://www.nyxbone.com/malware/pokemonGO.html", + "http://www.bleepingcomputer.com/news/security/pokemongo-ransomware-installs-backdoor-accounts-and-spreads-to-other-drives/" + ] + }, + "uuid": "8b151275-d4c4-438a-9d06-92da2835586d" + }, + { + "value": "Polyglot", + "description": "Ransomware Immitates CTB-Locker", + "meta": { + "encryption": "AES-256", + "refs": [ + "https://support.kaspersky.com/8547", + "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" + ] + }, + "uuid": "b22cafb4-ccef-4935-82f4-631a6e539b8e" + }, + { + "value": "PowerWare", + "description": "Ransomware Open-sourced PowerShell", + "meta": { + "synonyms": [ + "PoshCoder" + ], + "extensions": [ + ".locky" + ], + "encryption": "AES-128", + "refs": [ + "https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decrypt.py", + "https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip", + "https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/", + "http://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/" + ] + }, + "uuid": "9fa93bb7-2997-4864-aa0e-0e667990dec8" + }, + { + "value": "PowerWorm", + "description": "Ransomware no decryption possible, throws key away, destroys the files", + "meta": { + "encryption": "AES", + "ransomnotes": [ + "DECRYPT_INSTRUCTION.html" + ] + }, + "uuid": "b54d59d7-b604-4b01-8002-5a2930732ca6" + }, + { + "value": "Princess Locker", + "description": "Ransomware", + "meta": { + "extensions": [ + "[a-z]{4,6},[0-9]" + ], + "ransomnotes": [ + "!_HOW_TO_RESTORE_[extension].TXT", + "!_HOW_TO_RESTORE_[extension].html", + "!_HOW_TO_RESTORE_*id*.txt", + ".*id*", + "@_USE_TO_FIX_JJnY.txt" + ], + "refs": [ + "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/", + "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/" + ] + }, + "uuid": "7c8ff7e5-2cad-48e8-92e8-4c8226933cbc" + }, + { + "value": "PRISM", + "description": "Ransomware", + "meta": { + "refs": [ + "http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/" + ] + }, + "uuid": "c0ebfb75-254d-4d85-9d02-a7af8e655068" + }, + { + "value": "Ps2exe", + "description": "Ransomware", + "meta": { + "refs": [ + "https://twitter.com/jiriatvirlab/status/803297700175286273" + ] + }, + "uuid": "1da6653c-8657-4cdc-9eaf-0df9d2ebbf10" + }, + { + "value": "R", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Ransomware.txt" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/846705481741733892" + ] + }, + "uuid": "f7cd8956-2825-4104-94b1-e9589ab1089a" + }, + { + "value": "R980", + "description": "Ransomware", + "meta": { + "extensions": [ + ".crypt" + ], + "ransomnotes": [ + "DECRYPTION INSTRUCTIONS.txt", + "rtext.txt" + ], + "refs": [ + "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" + ] + }, + "uuid": "6a7ebb0a-78bc-4fdc-92ae-1b02976b5499" + }, + { + "value": "RAA encryptor", + "description": "Ransomware Possible affiliation with Pony", + "meta": { + "synonyms": [ + "RAA" + ], + "extensions": [ + ".locked" + ], + "ransomnotes": [ + "!!!README!!![id].rtf" + ], + "refs": [ + "https://reaqta.com/2016/06/raa-ransomware-delivering-pony/", + "http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/" + ] + }, + "uuid": "b6d4faa1-6d76-42ff-8a18-238eb70cff06" + }, + { + "value": "Rabion", + "description": "Ransomware RaaS Copy of Ranion RaaS", + "meta": { + "refs": [ + "https://twitter.com/CryptoInsane/status/846181140025282561" + ] + }, + "uuid": "4a95257a-6646-492f-93eb-d15dff7ce1eb" + }, + { + "value": "Radamant", + "description": "Ransomware", + "meta": { + "extensions": [ + ".RDM", + ".RRK", + ".RAD", + ".RADAMANT" + ], + "encryption": "AES-256", + "ransomnotes": [ + "YOUR_FILES.url" + ], + "refs": [ + "https://decrypter.emsisoft.com/radamant", + "http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension-to-encrypted-files/", + "http://www.nyxbone.com/malware/radamant.html" + ] + }, + "uuid": "674c3bf6-2e16-427d-ab0f-b91676a460cd" + }, + { + "value": "Rakhni", + "description": "Ransomware Files might be partially encrypted", + "meta": { + "synonyms": [ + "Agent.iih", + "Aura", + "Autoit", + "Pletor", + "Rotor", + "Lamer", + "Isda", + "Cryptokluchen", + "Bandarchor" + ], + "extensions": [ + ".locked", + ".kraken", + ".darkness", + ".nochance", + ".oshit", + ".oplata@qq_com", + ".relock@qq_com", + ".crypto", + ".helpdecrypt@ukr.net", + ".pizda@qq_com", + ".dyatel@qq_com", + "_ryp", + ".nalog@qq_com", + ".chifrator@qq_com", + ".gruzin@qq_com", + ".troyancoder@qq_com", + ".encrypted", + ".cry", + ".AES256", + ".enc", + ".hb15", + ".coderksu@gmail_com_id[0-9]{2,3}", + ".crypt@india.com.[\\w]{4,12}" + ], + "ransomnotes": [ + "\\fud.bmp", + "\\paycrypt.bmp", + "\\strongcrypt.bmp", + "\\maxcrypt.bmp", + "%APPDATA%\\Roaming\\.bmp" + ], + "refs": [ + "https://support.kaspersky.com/us/viruses/disinfection/10556" + ] + }, + "uuid": "c85a41a8-a0a1-4963-894f-84bb980e6e86" + }, + { + "value": "Ramsomeer", + "description": "Ransomware Based on the DUMB ransomware", + "uuid": "5b81ea66-9a44-43d8-bceb-22e5b0582f8d" + }, + { + "value": "Rannoh", + "description": "Ransomware", + "meta": { + "extensions": [ + "locked-.[a-zA-Z]{4}" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/8547" + ] + }, + "uuid": "d45f089b-efc7-45f8-a681-845374349d83" + }, + { + "value": "RanRan", + "description": "Ransomware", + "meta": { + "extensions": [ + ".zXz" + ], + "ransomnotes": [ + "VictemKey_0_5", + "VictemKey_5_30", + "VictemKey_30_100", + "VictemKey_100_300", + "VictemKey_300_700", + "VictemKey_700_2000", + "VictemKey_2000_3000", + "VictemKey_3000", + "zXz.html" + ], + "refs": [ + "https://github.com/pan-unit42/public_tools/tree/master/ranran_decryption", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/", + "https://www.bleepingcomputer.com/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/" + ] + }, + "uuid": "e01a0cfa-2c8c-4e08-963a-4fa1e8cc6a34" + }, + { + "value": "Ransoc", + "description": "Ransomware Doesn't encrypt user files", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles", + "https://www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/" + ] + }, + "uuid": "f0fcbac5-6216-4c3c-adcb-3aa06ab23340" + }, + { + "value": "Ransom32", + "description": "Ransomware no extension change, Javascript Ransomware", + "uuid": "d74e2fa6-6b8d-49ed-80f9-07b274eecef8" + }, + { + "value": "RansomLock", + "description": "Ransomware Locks the desktop", + "meta": { + "encryption": "Asymmetric 1024 ", + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2" + ] + }, + "uuid": "24f98123-192c-4e31-b2ee-4c77afbdc3be" + }, + { + "value": "RarVault", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "RarVault.htm" + ] + }, + "uuid": "c8ee96a3-ac22-40c7-8ed2-df67aeaca08d" + }, + { + "value": "Razy", + "description": "Ransomware", + "meta": { + "extensions": [ + ".razy", + ".fear" + ], + "encryption": "AES-128", + "refs": [ + "http://www.nyxbone.com/malware/Razy(German).html", + "http://nyxbone.com/malware/Razy.html" + ] + }, + "uuid": "f2a38c7b-054e-49ab-aa0e-67a7aac71837" + }, + { + "value": "Rector", + "description": "Ransomware", + "meta": { + "extensions": [ + ".vscrypt", + ".infected", + ".bloc", + ".korrektor" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/4264" + ] + }, + "uuid": "08f519f4-df8f-4baf-b7ac-c7a0c66f7e74" + }, + { + "value": "RektLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".rekt" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Readme.txt" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/4264" + ] + }, + "uuid": "5448f038-0558-45c7-bda7-76950f82846a" + }, + { + "value": "RemindMe", + "description": "Ransomware", + "meta": { + "extensions": [ + ".remind", + ".crashed" + ], + "ransomnotes": [ + "decypt_your_files.html " + ], + "refs": [ + "http://www.nyxbone.com/malware/RemindMe.html", + "http://i.imgur.com/gV6i5SN.jpg" + ] + }, + "uuid": "0120015c-7d37-469c-a966-7a0d42166e67" + }, + { + "value": "Rokku", + "description": "Ransomware possibly related with Chimera", + "meta": { + "extensions": [ + ".rokku" + ], + "encryption": "Curve25519 + ChaCha", + "ransomnotes": [ + "README_HOW_TO_UNLOCK.TXT", + "README_HOW_TO_UNLOCK.HTML" + ], + "refs": [ + "https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/" + ] + }, + "uuid": "61184aea-e87b-467d-b36e-cfc75ccb242f" + }, + { + "value": "RoshaLock", + "description": "Ransomware Stores your files in a password protected RAR file", + "meta": { + "refs": [ + "https://twitter.com/siri_urz/status/842452104279134209" + ] + }, + "uuid": "e88a7509-9c79-42c1-8b0c-5e63af8e25b5" + }, + { + "value": "Runsomewere", + "description": "Ransomware Based on HT/EDA2 Utilizes the Jigsaw Ransomware background", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/801812325657440256" + ] + }, + "uuid": "266b366b-2b4f-41af-a30f-eab1c63c9976" + }, + { + "value": "RussianRoulette", + "description": "Ransomware Variant of the Philadelphia ransomware", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/823925410392080385" + ] + }, + "uuid": "1149197c-89e7-4a8f-98aa-40ac0a9c0914" + }, + { + "value": "SADStory", + "description": "Ransomware Variant of CryPy", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/845356853039190016" + ] + }, + "uuid": "6d81cee2-6c99-41fb-8b54-6581422d85dc" + }, + { + "value": "Sage 2.2", + "description": "Ransomware Sage 2.2 deletes volume snapshots through vssadmin.exe, disables startup repair, uses process wscript.exe to execute a VBScript, and coordinates the execution of scheduled tasks via schtasks.exe.", + "meta": { + "extensions": [ + ".sage" + ], + "refs": [ + "https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate", + "https://malwarebreakdown.com/2017/03/10/finding-a-good-man/" + ] + }, + "uuid": "eacf3aee-ffb1-425a-862f-874e444a218d" + }, + { + "value": "Samas-Samsam", + "description": "Ransomware Targeted attacks -Jexboss -PSExec -Hyena", + "meta": { + "synonyms": [ + "samsam.exe", + "MIKOPONI.exe", + "RikiRafael.exe", + "showmehowto.exe" + ], + "extensions": [ + ".encryptedAES", + ".encryptedRSA", + ".encedRSA", + ".justbtcwillhelpyou", + ".btcbtcbtc", + ".btc-help-you", + ".only-we_can-help_you", + ".iwanthelpuuu", + ".notfoundrans", + ".encmywork", + ".VforVendetta", + ".theworldisyours", + ".Whereisyourfiles", + ".helpmeencedfiles", + ".powerfulldecrypt", + ".noproblemwedecfiles", + ".weareyourfriends", + ".otherinformation", + ".letmetrydecfiles", + ".encryptedyourfiles", + ".weencedufiles", + ".iaufkakfhsaraf", + ".cifgksaffsfyghd" + ], + "encryption": "AES(256) + RSA(2096)", + "ransomnotes": [ + "HELP_DECRYPT_YOUR_FILES.html", + "###-READ-FOR-HELLPP.html", + "000-PLEASE-READ-WE-HELP.html", + "CHECK-IT-HELP-FILES.html", + "WHERE-YOUR-FILES.html", + "HELP-ME-ENCED-FILES.html", + "WE-MUST-DEC-FILES.html", + "000-No-PROBLEM-WE-DEC-FILES.html", + "TRY-READ-ME-TO-DEC.html", + "000-IF-YOU-WANT-DEC-FILES.html", + "LET-ME-TRY-DEC-FILES.html", + "001-READ-FOR-DECRYPT-FILES.html", + "READ-READ-READ.html", + "IF_WANT_FILES_BACK_PLS_READ.html", + "READ_READ_DEC_FILES.html" + ], + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip", + "http://blog.talosintel.com/2016/03/samsam-ransomware.html", + "http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf" + ] + }, + "uuid": "731e4a5e-35f2-47b1-80ba-150b95fdc14d" + }, + { + "value": "Sanction", + "description": "Ransomware Based on HiddenTear, but heavily modified keygen", + "meta": { + "extensions": [ + ".sanction" + ], + "encryption": "AES-256 + RSA-2096", + "ransomnotes": [ + "DECRYPT_YOUR_FILES.HTML" + ] + }, + "uuid": "e7b69fbe-26ba-49df-aa62-a64525f89343" + }, + { + "value": "Sanctions", + "description": "Ransomware", + "meta": { + "extensions": [ + ".wallet" + ], + "encryption": "AES-256 + RSA-2048", + "ransomnotes": [ + "RESTORE_ALL_DATA.html" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/" + ] + }, + "uuid": "7b517c02-9f93-44c7-b957-10346803c43c" + }, + { + "value": "Sardoninir", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/835955409953357825" + ] + }, + "uuid": "6e49ecfa-1c25-4841-ae60-3b1c3c9c7710" + }, + { + "value": "Satana", + "description": "Ransomware", + "meta": { + "extensions": [ + "Sarah_G@ausi.com___" + ], + "ransomnotes": [ + "!satana!.txt" + ], + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/", + "https://blog.kaspersky.com/satana-ransomware/12558/" + ] + }, + "uuid": "a127a59e-9e4c-4c2b-b833-cabd076c3016" + }, + { + "value": "Scraper", + "description": "Ransomware", + "meta": { + "refs": [ + "http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/" + ] + }, + "uuid": "c0c685b8-a59d-4922-add9-e572d5fd48cd" + }, + { + "value": "Serpico", + "description": "Ransomware DetoxCrypto Variant", + "meta": { + "encryption": "AES", + "refs": [ + "http://www.nyxbone.com/malware/Serpico.html" + ] + }, + "uuid": "bd4bfbab-c21d-4971-b70c-b180bcf40630" + }, + { + "value": "Shark", + "description": "Ransomware", + "meta": { + "synonyms": [ + "Atom" + ], + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Readme.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/", + "http://www.bleepingcomputer.com/news/security/shark-ransomware-rebrands-as-atom-for-a-fresh-start/" + ] + }, + "uuid": "503c9910-902f-4bae-8c33-ea29db8bdd7f" + }, + { + "value": "ShinoLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".shino" + ], + "refs": [ + "https://twitter.com/JakubKroustek/status/760560147131408384", + "http://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/" + ] + }, + "uuid": "bc029327-ee34-4eba-8933-bd85f2a1e9d1" + }, + { + "value": "Shujin", + "description": "Ransomware", + "meta": { + "synonyms": [ + "KinCrypt" + ], + "ransomnotes": [ + "\u6587\u4ef6\u89e3\u5bc6\u5e2e\u52a9.txt" + ], + "refs": [ + "http://www.nyxbone.com/malware/chineseRansom.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" + ] + }, + "uuid": "b9963d52-a391-4e9c-92e7-d2a147d5451f" + }, + { + "value": "Simple_Encoder", + "description": "Ransomware", + "meta": { + "extensions": [ + ".~" + ], + "encryption": "AES", + "ransomnotes": [ + "_RECOVER_INSTRUCTIONS.ini" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/" + ] + }, + "uuid": "2709b2ff-a2be-49a9-b268-2576170a5dff" + }, + { + "value": "SkidLocker", + "description": "Ransomware Based on EDA2", + "meta": { + "synonyms": [ + "Pompous" + ], + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_IT.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/", + "http://www.nyxbone.com/malware/SkidLocker.html" + ] + }, + "uuid": "44b6b99e-b1d9-4605-95c2-55c14c7c25be" + }, + { + "value": "Smash!", + "description": "Ransomware", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/" + ] + }, + "uuid": "27283e74-abc6-4d8a-bcb6-a60804b8e264" + }, + { + "value": "Smrss32", + "description": "Ransomware", + "meta": { + "extensions": [ + ".encrypted" + ], + "ransomnotes": [ + "_HOW_TO_Decrypt.bmp" + ] + }, + "uuid": "cd21bb2a-0c6a-463b-8c0e-16da251f69ae" + }, + { + "value": "SNSLocker", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".RSNSlocked", + ".RSplited" + ], + "encryption": "AES-256", + "ransomnotes": [ + "READ_Me.txt" + ], + "refs": [ + "http://nyxbone.com/malware/SNSLocker.html", + "http://nyxbone.com/images/articulos/malware/snslocker/16.png" + ] + }, + "uuid": "82658f48-6a62-4dee-bd87-382e76b84c3d" + }, + { + "value": "Sport", + "description": "Ransomware", + "meta": { + "extensions": [ + ".sport" + ] + }, + "uuid": "9526efea-8853-42f2-89be-a04ee1ca4c7d" + }, + { + "value": "Stampado", + "description": "Ransomware Coded by \"The_Rainmaker\" Randomly deletes a file every 6hrs up to 96hrs then deletes decryption key", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Random message includes bitcoin wallet address with instructions" + ], + "refs": [ + "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221", + "http://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/", + "https://decrypter.emsisoft.com/stampado", + "https://cdn.streamable.com/video/mp4/kfh3.mp4", + "http://blog.trendmicro.com/trendlabs-security-intelligence/the-economics-behind-ransomware-prices/" + ] + }, + "uuid": "6b8729b0-7ffc-4d07-98de-e5210928b274" + }, + { + "value": "Strictor", + "description": "Ransomware Based on EDA2, shows Guy Fawkes mask", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "refs": [ + "http://www.nyxbone.com/malware/Strictor.html" + ] + }, + "uuid": "d75bdd85-032a-46b7-a339-257fd5656c11" + }, + { + "value": "Surprise", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".surprise", + ".tzu" + ], + "encryption": "AES-256", + "ransomnotes": [ + "DECRYPTION_HOWTO.Notepad" + ] + }, + "uuid": "6848b77c-92c8-40ec-90ac-9c14b9f17272" + }, + { + "value": "Survey", + "description": "Ransomware Still in development, shows FileIce survey", + "meta": { + "ransomnotes": [ + "ThxForYurTyme.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" + ] + }, + "uuid": "11725992-3634-4715-ae17-b6f5ed13b877" + }, + { + "value": "SynoLocker", + "description": "Ransomware Exploited Synology NAS firmware directly over WAN", + "uuid": "27740d5f-30cf-4c5c-812c-15c0918ce9f0" + }, + { + "value": "SZFLocker", + "description": "Ransomware", + "meta": { + "extensions": [ + ".szf" + ], + "refs": [ + "http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-retrieve-your-files/" + ] + }, + "uuid": "a7845bbe-d7e6-4c7b-a9b8-dccbd93bc4b2" + }, + { + "value": "TeamXrat", + "description": "Ransomware", + "meta": { + "extensions": [ + ".___xratteamLucked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "Como descriptografar os seus arquivos.txt" + ], + "refs": [ + "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" + ] + }, + "uuid": "65a31863-4f59-4c66-bc2d-31e8fb68bbe8" + }, + { + "value": "TeslaCrypt 0.x - 2.2.0", + "description": "Ransomware Factorization", + "meta": { + "synonyms": [ + "AlphaCrypt" + ], + "extensions": [ + ".vvv", + ".ecc", + ".exx", + ".ezz", + ".abc", + ".aaa", + ".zzz", + ".xyz" + ], + "ransomnotes": [ + "HELP_TO_SAVE_FILES.txt", + "Howto_RESTORE_FILES.html" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", + "http://www.talosintel.com/teslacrypt_tool/" + ] + }, + "uuid": "af92c71e-935e-4486-b4e7-319bf16d622e" + }, + { + "value": "TeslaCrypt 3.0+", + "description": "Ransomware 4.0+ has no extension", + "meta": { + "extensions": [ + ".micro", + ".xxx", + ".ttt", + ".mp3" + ], + "encryption": "AES-256 + ECHD + SHA1", + "refs": [ + "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", + "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", + "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/" + ] + }, + "uuid": "bd19dfff-7c8d-4c94-967e-f8ffc19e7dd9" + }, + { + "value": "TeslaCrypt 4.1A", + "description": "Ransomware", + "meta": { + "encryption": "AES-256 + ECHD + SHA1", + "ransomnotes": [ + "RECOVER<5_chars>.html", + "RECOVER<5_chars>.png", + "RECOVER<5_chars>.txt", + "_how_recover+.txt", + "_how_recover+.html", + "help_recover_instructions+.html", + "help_recover_instructions+.txt", + "help_recover_instructions+.BMP", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.html", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.png", + "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", + "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", + "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", + "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", + "HELP_TO_SAVE_FILES.txt", + "HELP_TO_SAVE_FILES.bmp" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", + "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", + "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", + "https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain" + ] + }, + "uuid": "ab6b8f56-cf2d-4733-8f9c-df3d52c05e66" + }, + { + "value": "TeslaCrypt 4.2", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "RECOVER<5_chars>.html", + "RECOVER<5_chars>.png", + "RECOVER<5_chars>.txt", + "_how_recover+.txt", + "_how_recover+.html", + "help_recover_instructions+.BMP", + "help_recover_instructions+.html", + "help_recover_instructions+.txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.txt", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.html", + "_H_e_l_p_RECOVER_INSTRUCTIONS+.png", + "Recovery+<5 random chars>.txt, .html, e.g., Recovery+gwote.txt", + "RESTORE_FILES_.TXT , e.g. restore_files_kksli.bmp", + "HELP_RESTORE_FILES_.TXT , e.g. help_restore_files_kksli.bmp", + "HOWTO_RECOVER_FILES_.TXT. e.g. howto_recover_files_xeyye.txt", + "HELP_TO_SAVE_FILES.txt", + "HELP_TO_SAVE_FILES.bmp" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", + "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", + "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", + "http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/" + ] + }, + "uuid": "eed65c12-b179-4002-a11b-7a2e2df5f0c8" + }, + { + "value": "Threat Finder", + "description": "Ransomware Files cannot be decrypted Has a GUI", + "meta": { + "ransomnotes": [ + "HELP_DECRYPT.HTML" + ] + }, + "uuid": "c0bce92a-63b8-4538-93dc-0911ae46596d" + }, + { + "value": "TorrentLocker", + "description": "Ransomware Newer variants not decryptable. Only first 2 MB are encrypted", + "meta": { + "synonyms": [ + "Crypt0L0cker", + "CryptoFortress", + "Teerac" + ], + "extensions": [ + ".Encrypted", + ".enc" + ], + "encryption": "AES-256 CBC for files + RSA-1024 for AES key uses LibTomCrypt", + "ransomnotes": [ + "HOW_TO_RESTORE_FILES.html", + "DECRYPT_INSTRUCTIONS.html", + "DESIFROVANI_POKYNY.html", + "INSTRUCCIONES_DESCIFRADO.html", + "ISTRUZIONI_DECRITTAZIONE.html", + "ENTSCHLUSSELN_HINWEISE.html", + "ONTSLEUTELINGS_INSTRUCTIES.html", + "INSTRUCTIONS_DE_DECRYPTAGE.html", + "SIFRE_COZME_TALIMATI.html", + "wie_zum_Wiederherstellen_von_Dateien.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/", + "https://twitter.com/PolarToffee/status/804008236600934403", + "http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html" + ] + }, + "uuid": "b817ce63-f1c3-49de-bd8b-fd56c3f956c9" + }, + { + "value": "TowerWeb", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Payment_Instructions.jpg" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/" + ] + }, + "uuid": "4d470cf8-09b6-4d0e-8e5a-2f618e48c560" + }, + { + "value": "Toxcrypt", + "description": "Ransomware", + "meta": { + "extensions": [ + ".toxcrypt" + ], + "ransomnotes": [ + "tox.html" + ] + }, + "uuid": "08fc7534-fe85-488b-92b0-630c0d91ecbe" + }, + { + "value": "Trojan", + "description": "Ransomware", + "meta": { + "synonyms": [ + "BrainCrypt" + ], + "extensions": [ + ".braincrypt" + ], + "ransomnotes": [ + "!!! HOW TO DECRYPT FILES !!!.txt" + ], + "refs": [ + "https://download.bleepingcomputer.com/demonslay335/BrainCryptDecrypter.zip", + "https://twitter.com/PolarToffee/status/811249250285842432" + ] + }, + "uuid": "97673387-75ae-4da4-9a5f-38773f2492e7" + }, + { + "value": "Troldesh orShade, XTBL", + "description": "Ransomware May download additional malware after encryption", + "meta": { + "extensions": [ + ".breaking_bad", + ".better_call_saul", + ".xtbl", + ".da_vinci_code", + ".windows10", + ".no_more_ransom" + ], + "encryption": "AES-256", + "ransomnotes": [ + "README.txt", + "nomoreransom_note_original.txt" + ], + "refs": [ + "https://www.nomoreransom.org/uploads/ShadeDecryptor_how-to_guide.pdf", + "http://www.nyxbone.com/malware/Troldesh.html", + "https://www.bleepingcomputer.com/news/security/kelihos-botnet-delivering-shade-troldesh-ransomware-with-no-more-ransom-extension/" + ] + }, + "uuid": "6c3dd006-3501-4ebc-ab86-b06e4d555194" + }, + { + "value": "TrueCrypter", + "description": "Ransomware", + "meta": { + "extensions": [ + ".enc" + ], + "encryption": "AES-256", + "refs": [ + "http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/" + ] + }, + "uuid": "c46bfed8-7010-432a-8108-138f6d067000" + }, + { + "value": "Turkish", + "description": "Ransomware", + "meta": { + "extensions": [ + ".sifreli" + ], + "refs": [ + "https://twitter.com/struppigel/status/821991600637313024" + ] + }, + "uuid": "132c39fc-1364-4210-aef9-48f73afc1108" + }, + { + "value": "Turkish Ransom", + "description": "Ransomware", + "meta": { + "extensions": [ + ".locked" + ], + "encryption": "AES-256", + "ransomnotes": [ + "DOSYALARINIZA ULA\u015eMAK \u0130\u00c7\u0130N A\u00c7INIZ.html" + ], + "refs": [ + "http://www.nyxbone.com/malware/turkishRansom.html" + ] + }, + "uuid": "174dd201-0b0b-4a76-95c7-71f8141684d0" + }, + { + "value": "UmbreCrypt", + "description": "Ransomware CrypBoss Family", + "meta": { + "extensions": [ + "umbrecrypt_ID_[VICTIMID]" + ], + "encryption": "AES", + "ransomnotes": [ + "README_DECRYPT_UMBRE_ID_[victim_id].jpg", + "README_DECRYPT_UMBRE_ID_[victim_id].txt", + "default32643264.bmp", + "default432643264.jpg" + ], + "refs": [ + "http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware" + ] + }, + "uuid": "028b3489-51da-45d7-8bd0-62044e9ea49f" + }, + { + "value": "UnblockUPC", + "description": "Ransomware", + "meta": { + "ransomnotes": [ + "Files encrypted.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/forums/t/627582/unblockupc-ransomware-help-support-topic-files-encryptedtxt/" + ] + }, + "uuid": "5a9f9ebe-f4c8-4985-8890-743f59d658fd" + }, + { + "value": "Ungluk", + "description": "Ransomware Ransom note instructs to use Bitmessage to get in contact with attacker - Secretishere.key - SECRETISHIDINGHEREINSIDE.KEY - secret.key", + "meta": { + "extensions": [ + ".H3LL", + ".0x0", + ".1999" + ], + "encryption": "AES", + "ransomnotes": [ + "READTHISNOW!!!.txt", + "Hellothere.txt", + "YOUGOTHACKED.TXT" + ] + }, + "uuid": "bb8c6b80-91cb-4c01-b001-7b9e73228420" + }, + { + "value": "Unlock92 ", + "description": "Ransomware", + "meta": { + "extensions": [ + ".CRRRT", + ".CCCRRRPPP" + ], + "ransomnotes": [ + "READ_ME_!.txt" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/839038399944224768" + ] + }, + "uuid": "dfe760e5-f878-492d-91d0-05fa45a2849d" + }, + { + "value": "VapeLauncher", + "description": "Ransomware CryptoWire variant", + "meta": { + "refs": [ + "https://twitter.com/struppigel/status/839771195830648833" + ] + }, + "uuid": "7799247c-4e6a-4c20-b0b3-d8e6a8ab6783" + }, + { + "value": "VaultCrypt", + "description": "Ransomware", + "meta": { + "synonyms": [ + "CrypVault", + "Zlader" + ], + "extensions": [ + ".vault", + ".xort", + ".trun" + ], + "encryption": "uses gpg.exe", + "ransomnotes": [ + "VAULT.txt", + "xort.txt", + "trun.txt", + ".hta | VAULT.hta" + ], + "refs": [ + "http://www.nyxbone.com/malware/russianRansom.html" + ] + }, + "uuid": "63a82b7f-9a71-47a8-9a79-14acc6595da5" + }, + { + "value": "VBRANSOM 7", + "description": "Ransomware", + "meta": { + "extensions": [ + ".VBRANSOM" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/817851339078336513" + ] + }, + "uuid": "44a56cd0-8cd8-486f-972d-4b1b416e9077" + }, + { + "value": "VenusLocker", + "description": "Ransomware Based on EDA2", + "meta": { + "extensions": [ + ".Venusf", + ".Venusp" + ], + "encryption": "AES-256", + "ransomnotes": [ + "ReadMe.txt" + ], + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/08/venus-locker-another-net-ransomware/?utm_source=twitter&utm_medium=social", + "http://www.nyxbone.com/malware/venusLocker.html" + ] + }, + "uuid": "7340c6d6-a16e-4a01-8bb4-8ad3edc64d28" + }, + { + "value": "Virlock", + "description": "Ransomware Polymorphism / Self-replication", + "meta": { + "extensions": [ + ".exe" + ], + "refs": [ + "http://www.nyxbone.com/malware/Virlock.html", + "http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/" + ] + }, + "uuid": "5c736959-6c58-4bf2-b084-7197b42e500a" + }, + { + "value": "Virus-Encoder", + "description": "Ransomware", + "meta": { + "synonyms": [ + "CrySiS" + ], + "extensions": [ + ".CrySiS", + ".xtbl", + ".crypt", + ".DHARMA", + ".id-########.decryptformoney@india.com.xtbl", + ".[email_address].DHARMA" + ], + "encryption": "AES-256", + "ransomnotes": [ + "How to decrypt your data.txt" + ], + "refs": [ + "http://www.welivesecurity.com/2016/11/24/new-decryption-tool-crysis-ransomware/", + "http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip", + "http://www.nyxbone.com/malware/virus-encoder.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/crysis-targeting-businesses-in-australia-new-zealand-via-brute-forced-rdps/" + ] + }, + "uuid": "15a30d84-4f5f-4b75-a162-e36107d30215" + }, + { + "value": "WildFire Locker", + "description": "Ransomware Zyklon variant", + "meta": { + "synonyms": [ + "Hades Locker" + ], + "extensions": [ + ".wflx" + ], + "ransomnotes": [ + "HOW_TO_UNLOCK_FILES_README_().txt" + ], + "refs": [ + "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" + ] + }, + "uuid": "31945e7b-a734-4333-9ea2-e52051ca015a" + }, + { + "value": "Xorist", + "description": "Ransomware encrypted files will still have the original non-encrypted header of 0x33 bytes length", + "meta": { + "extensions": [ + ".EnCiPhErEd", + ".73i87A", + ".p5tkjw", + ".PoAr2w", + ".fileiscryptedhard", + ".encoderpass", + ".zc3791", + ".antihacker2017" + ], + "encryption": "XOR or TEA", + "ransomnotes": [ + "HOW TO DECRYPT FILES.TXT" + ], + "refs": [ + "https://support.kaspersky.com/viruses/disinfection/2911", + "https://decrypter.emsisoft.com/xorist" + ] + }, + "uuid": "0a15a920-9876-4985-9d3d-bb0794722258" + }, + { + "value": "XRTN ", + "description": "Ransomware VaultCrypt family", + "meta": { + "extensions": [ + ".xrtn" + ] + }, + "uuid": "22ff9f8c-f658-46cc-a404-1a54e1b74569" + }, + { + "value": "You Have Been Hacked!!!", + "description": "Ransomware Attempt to steal passwords", + "meta": { + "extensions": [ + ".Locked" + ], + "refs": [ + "https://twitter.com/malwrhunterteam/status/808280549802418181" + ] + }, + "uuid": "0810ea3e-1cd6-4ea3-a416-5895fb685c5b" + }, + { + "value": "Zcrypt", + "description": "Ransomware", + "meta": { + "synonyms": [ + "Zcryptor" + ], + "extensions": [ + ".zcrypt" + ], + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/" + ] + }, + "uuid": "7eed5e96-0219-4355-9a9c-44643272894c" + }, + { + "value": "Zimbra", + "description": "Ransomware mpritsken@priest.com", + "meta": { + "extensions": [ + ".crypto" + ], + "ransomnotes": [ + "how.txt" + ], + "refs": [ + "http://www.bleepingcomputer.com/forums/t/617874/zimbra-ransomware-written-in-python-help-and-support-topic-crypto-howtotxt/" + ] + }, + "uuid": "07346620-a0b4-48d5-9158-5048741f5078" + }, + { + "value": "Zlader", + "description": "Ransomware VaultCrypt family", + "meta": { + "synonyms": [ + "Russian", + "VaultCrypt", + "CrypVault" + ], + "extensions": [ + ".vault" + ], + "encryption": "RSA", + "refs": [ + "http://www.nyxbone.com/malware/russianRansom.html" + ] + }, + "uuid": "2195387d-ad9c-47e6-8f14-a49388b26eab" + }, + { + "value": "Zorro", + "description": "Ransomware", + "meta": { + "extensions": [ + ".zorro" + ], + "ransomnotes": [ + "Take_Seriously (Your saving grace).txt" + ], + "refs": [ + "https://twitter.com/BleepinComputer/status/844538370323812353" + ] + }, + "uuid": "b2bd25e1-d41c-42f2-8971-ecceceb6ba08" + }, + { + "value": "Zyklon", + "description": "Ransomware Hidden Tear family, GNL Locker variant", + "meta": { + "synonyms": [ + "GNL Locker" + ], + "extensions": [ + ".zyklon" + ] + }, + "uuid": "78ef77ac-a570-4fb9-af80-d04c09dff9ab" + }, + { + "value": "vxLock", + "description": "Ransomware", + "meta": { + "extensions": [ + ".vxLock" + ] + }, + "uuid": "37950a1c-0035-49e0-9278-e878df0a10f3" + }, + { + "value": "Jaff", + "description": "We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed \"Jaff\". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.", + "meta": { + "extensions": [ + ".jaff" + ], + "encryption": "AES", + "ransomnotes": [ + "WallpapeR.bmp", + "ReadMe.bmp", + "ReadMe.html", + "ReadMe.txt" + ], + "refs": [ + "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html", + "https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/" + ] + }, + "uuid": "8e3d44d0-6768-4b54-88b0-2e004a7f2297" + }, + { + "value": "Uiwix Ransomware", + "description": "Using EternalBlue SMB Exploit To Infect Victims", + "meta": { + "extensions": [ + "._[10_digit_victim_id].UIWIX" + ], + "encryption": "may be a mixture of AES and RC4.", + "ransomnotes": [ + "DECODE_FILES.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/" + ] + }, + "uuid": "369d6fda-0284-44aa-9e74-f6651416fec4" + }, + { + "value": "SOREBRECT", + "description": "Fileless, Code-injecting Ransomware", + "meta": { + "extensions": [ + ".pr0tect" + ], + "ransomnotes": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/06/SOREBRECT-3.jpg" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/" + ] + }, + "uuid": "34cedaf0-b1f0-4b5d-b7bd-2eadfc630ea7" + }, + { + "value": "Cyron", + "description": "claims it detected \"Children Pornsites\" in your browser history", + "meta": { + "extensions": [ + ".CYRON" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvA8CDWAAIR5er.jpg" + ], + "refs": [ + "https://twitter.com/struppigel/status/899524853426008064" + ] + }, + "uuid": "f597d388-886e-46d6-a5cc-26deeb4674f2" + }, + { + "value": "Kappa", + "description": "Made with OXAR builder; decryptable", + "meta": { + "extensions": [ + ".OXR" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvDae7XoAE9usO[1].jpg" + ], + "refs": [ + "https://twitter.com/struppigel/status/899528477824700416" + ] + }, + "uuid": "3330e226-b71a-4ee4-8612-2b06b58368fc" + }, + { + "value": "Trojan Dz", + "description": "CyberSplitter variant", + "meta": { + "extensions": [ + ".Isis" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DHvM552WsAAuDbi[1].jpg" + ], + "refs": [ + "https://twitter.com/struppigel/status/899537940539478016" + ] + }, + "uuid": "1fe6c23b-863e-49e4-9439-aa9e999aa2e1" + }, + { + "value": "Xolzsec", + "description": "ransomware written by self proclaimed script kiddies that should really be considered trollware", + "meta": { + "extensions": [ + ".xolzsec" + ], + "refs": [ + "https://twitter.com/struppigel/status/899916577252028416" + ] + }, + "uuid": "f2930308-2e4d-4af5-b119-746be0fe7f2c" + }, + { + "value": "FlatChestWare", + "description": "HiddenTear variant; decryptable", + "meta": { + "extensions": [ + ".flat" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2017/august/25/DH5KChhXsAADOIu[1].jpg" + ], + "refs": [ + "https://twitter.com/struppigel/status/900238572409823232" + ] + }, + "uuid": "d29341fd-f48e-4caa-8a28-b17853b779d1" + }, + { + "value": "SynAck", + "description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/" + ], + "synonyms": [ + "Syn Ack" + ], + "ransomnotes": [ + "RESTORE_INFO-[id].txt" + ] + }, + "uuid": "04585cd8-54ae-420f-9191-8ddb9b88a80c" + }, + { + "value": "SyncCrypt", + "description": "A new ransomware called SyncCrypt was discovered by Emsisoft security researcher xXToffeeXx that is being distributed by spam attachments containing WSF files. When installed these attachments will encrypt a computer and append the .kk extension to encrypted files.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/" + ], + "extension": [ + ".kk" + ], + "ransomnotes": [ + "readme.html", + "readme.png" + ] + }, + "uuid": "83d10b83-9038-4dd6-b305-f14c21478588" + }, + { + "value": "Bad Rabbit", + "description": "On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2017/10/bad-rabbit.html" + ], + "synonyms": [ + "BadRabbit", + "Bad-Rabbit" + ] + }, + "uuid": "e8af6388-6575-4812-94a8-9df1567294c5" + }, + { + "value": "Halloware", + "description": "A malware author by the name of Luc1F3R is peddling a new ransomware strain called Halloware for the lowly price of $40. Based on evidence gathered by Bleeping Computer, Luc1F3R started selling his ransomware this week, beginning Thursday.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/halloware-ransomware-on-sale-on-the-dark-web-for-only-40/" + ], + "extensions": [ + "(Lucifer) [prepend]" + ] + }, + "uuid": "b366627d-dbc0-45ba-90bc-5f5694f45e35" + }, + { + "value": "StorageCrypt", + "description": "Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud. Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins to get their files back. User's have also reported that each share on their NAS device contains a Autorun.inf file and a Windows executable named \u7f8e\u5973\u4e0e\u91ce\u517d.exe, which translates to Beauty and the beast. From the samples BleepingComputer has received, this Autorun.inf is an attempt to spread the \u7f8e\u5973\u4e0e\u91ce\u517d.exe file to other computers that open the folders on the NAS devices.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/" + ], + "extensions": [ + ".locked" + ], + "ransomnotes": [ + "_READ_ME_FOR_DECRYPT.txt", + "Warning\n\nYour documents, photos,databases,important files have been encrypted by RSA-4096 and AES-256!\nIf you modify any file, it may cause make you cannot decrypt!!!\n\nDon't waste your precious time to try decrypt the files.\nIf there is no key that we provide to you , NO ONE can decrypt your precious files, even Jesus.\n\nHow to decrypt your files ?\n\nYou have to pay for decryption in bitcoin\nTo decrypt your files,please following the steps below\n\n1,Pay 2.0 bitcoin to this address: [bitcoin_address]\n\nPay To : [bitcoin_address]\nAmount : 2.0\n\n2,After you have finished paying,Contact us and Send us your Decrypt-ID via email\n\n3,Once we have confimed your deal,You can use the tool we sent to you to decrypt all your files.\n\nHow to obtain bitcoin ?\n\nThe easiest way to buy bitcoin is LocalBitcoins site.\nYou have to register, click Buy bitcoins and select the seller\nby payment method and price\n\nhttps://localbitcoins.com/buy_bitcoins\n\nhttps://paxful.com/buy-bitcoin\n\nhttp://bitcointalk.org/\n\n If you have any questions please do not hesitate to contact us\n\nContact Email:JeanRenoAParis@protonmail.com\n\nDecrypt-ID:" + ] + }, + "uuid": "0b920d03-971f-413c-8057-60d187192140" + }, + { + "value": "HC7", + "description": "A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network.\nOriginally released as HC6, victims began posting about it in the BleepingComputer forums towards the end of November. As this is a Python-to-exe executable, once the script was extracted ID Ransomware creator Michael Gillespie was able determine that it was decryptable and released a decryptor.\nUnfortunately, a few days later, the ransomware developers released a new version called HC7 that was not decryptable. Thi sis because they removed the hard coded encryption key and instead switched to inputting the key as a command line argument when the attackers run the ransomware executable. Thankfully, there may be a way to get around that as well so that victims can recover their keys.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/" + ], + "extensions": [ + ".GOTYA" + ], + "ransomnotes": [ + "RECOVERY.txt", + "ALL YOUR FILES WERE ENCRYPTED.\nTO RESTORE THIS FILE, YOU MUST SEND $700 BTC for MASCHINE\nOR $5,000 BTC FOR ALL NETWORK\nADDRESS: 15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP\nAFTER PAYMENT SENT EMAIL m4zn0v@keemail.me\nALONG WITH YOUR IDENTITY: VVNFUi1QQzA5\nNOT TO TURN OFF YOUR COMPUTER, UNLESS IT WILL BREAK" + ] + }, + "uuid": "9325e097-9fea-490c-9b89-c2d40c166101" + }, + { + "value": "HC6", + "description": "Predecessor of HC7", + "meta": { + "refs": [ + "https://twitter.com/demonslay335/status/935622942737817601?ref_src=twsrc%5Etfw", + "https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/" + ], + "extensions": [ + ".fucku" + ] + }, + "uuid": "909fde65-e015-40a9-9012-8d3ef62bba53" + }, + { + "value": "qkG", + "description": "Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/qkg-ransomware-encrypts-only-word-documents-hides-and-spreads-via-macros/" + ] + }, + "uuid": "1f3eab7f-da0a-4e0b-8a9f-cda2f146c819" + }, + { + "value": "Scarab", + "description": "The Scarab ransomware is a relatively new ransomware strain that was first spotted by security researcher Michael Gillespie in June this year.\nWritten in Delphi, the first version was simplistic and was recognizable via the \".scarab\" extension it appended after the names of encrypted files.\nMalwarebytes researcher Marcelo Rivera spotted a second version in July that used the \".scorpio\" extension. The version spotted with the Necurs spam today has reverted back to using the .scarab extension.\nThe current version of Scarab encrypts files but does not change original file names as previous versions. This Scarab version appends each file's name with the \".[suupport@protonmail.com].scarab\" extension.\nScarab also deletes shadow volume copies and drops a ransom note named \"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT\" on users' computers, which it opens immediately.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/", + "https://labsblog.f-secure.com/2017/11/23/necurs-business-is-booming-in-a-new-partnership-with-scarab-ransomware/", + "https://blogs.forcepoint.com/security-labs/massive-email-campaign-spreads-scarab-ransomware", + "https://twitter.com/malwrhunterteam/status/933643147766321152", + "https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/" + ], + "extensions": [ + ".scarab", + ".scorpio", + ".[suupport@protonmail.com].scarab" + ], + "ransomnotes": [ + "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" + ] + }, + "uuid": "cf8fbd03-4510-41cc-bec3-712fa7609aa4" + }, + { + "value": "File Spider", + "description": "A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.File Spider is currently being distributed through malspam that appears to be targeting countries such as Croatia, Bosnia and Herzegovina, and Serbia. The spam start with subjects like\"Potrazivanje dugovanja\", which translates to \"Debt Collection\" and whose message, according to Google Translate, appear to be in Serbian.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/file-spider-ransomware-targeting-the-balkans-with-malspam/" + ], + "extensions": [ + ".spider" + ], + "ransomnotes": [ + "HOW TO DECRYPT FILES.url", + "As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool.\n\nThe good news is that there is still a chance to recover your files, you just need to have the right key.\n\nTo obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!\n\nRemember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.\n\nTo avoid any misunderstanding, please read Help section." + ] + }, + "uuid": "3e75ce6b-b6de-4e5a-9501-8f9f847c819c" + }, + { + "value": "FileCoder", + "description": "A barely functional piece of macOS ransomware, written in Swift.", + "meta": { + "date": "Febuary 2017", + "refs": [ + "https://objective-see.com/blog/blog_0x25.html#FileCoder" + ], + "synonyms": [ + "FindZip", + "Patcher" + ] + }, + "uuid": "091c9923-5939-4bde-9db5-56abfb51f1a2" + }, + { + "value": "MacRansom", + "description": "A basic piece of macOS ransomware, offered via a 'malware-as-a-service' model.", + "meta": { + "date": "June 2017", + "refs": [ + "https://objective-see.com/blog/blog_0x25.html" + ] + }, + "uuid": "7574c7f1-5075-4230-aca9-d6c0956f1fac" + }, + { + "value": "GandCrab", + "description": "A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld. ", + "meta": { + "date": "January 2018", + "refs": [ + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/" + ], + "ransomnotes": [ + "GDCB-DECRYPT.txt", + "---= GANDCRAB =---\n\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB \nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser:http://gdcbghvjyqy7jclk.onion/[id]\n5. Follow the instructions on this page\n\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\n\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!" + ] + }, + "uuid": "5920464b-e093-4fa0-a275-438dffef228f" + }, + { + "value": "ShurL0ckr", + "description": "Security researchers uncovered a new ransomware named ShurL0ckr (detected by Trend Micro as RANSOM_GOSHIFR.B) that reportedly bypasses detection mechanisms of cloud platforms. Like Cerber and Satan, ShurL0ckr\u2019s operators further monetize the ransomware by peddling it as a turnkey service to fellow cybercriminals, allowing them to earn additional income through a commission from each victim who pays the ransom.", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" + ], + "date": "Febuary 2018" + }, + "uuid": "cc7f6da3-fafd-444f-b7e9-f0e650fb4d4f" + }, + { + "value": "Cryakl", + "description": "ransomware", + "meta": { + "refs": [ + "https://sensorstechforum.com/fr/fairytail-files-virus-cryakl-ransomware-remove-restore-data/", + "https://www.technologynews.tech/cryakl-ransomware-virus", + "http://www.zdnet.com/article/cryakl-ransomware-decryption-keys-now-available-for-free/" + ], + "date": "January 2018", + "extensions": [ + ".fairytail" + ] + }, + "uuid": "4f3e494e-0e37-4894-94b2-741a8100f07a" + }, + { + "value": "Thanatos", + "description": "first ransomware seen to ask for payment to be made in Bitcoin Cash (BCH)", + "meta": { + "refs": [ + "https://mobile.twitter.com/EclecticIQ/status/968478323889332226", + "https://www.eclecticiq.com/resources/thanatos--ransomware-first-ransomware-ask-payment-bitcoin-cash?type=intel-report" + ], + "extensions": [ + ".THANATOS" + ] + }, + "uuid": "361d7a90-2fde-4fc7-91ed-fdce26eb790f" + } + ], + "source": "Various", + "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", + "name": "Ransomware", + "version": 6, + "type": "ransomware", + "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar" +} \ No newline at end of file diff --git a/clusters/rat.json b/clusters/rat.json index c5948f4..cd118f6 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -1,2176 +1,2406 @@ { - "name": "RAT", - "type": "rat", - "source": "MISP Project", - "authors": [ - "Various" - ], - "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.", - "uuid": "312f8714-45cb-11e7-b898-135207cdceb9", - "version": 6, - "values": [ - { - "meta": { - "refs": [ - "https://www.teamviewer.com" - ] - }, - "description": "TeamViewer is a proprietary computer software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.", - "value": "TeamViewer" - }, - { - "value": "JadeRAT", - "description": "JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains.", - "meta": { - "refs": [ - "https://blog.lookout.com/mobile-threat-jaderat" - ] - } - }, - { - "meta": { - "synonyms": [ - "BO" - ], - "refs": [ - "http://www.cultdeadcow.com/tools/bo.html", - "http://www.symantec.com/avcenter/warn/backorifice.html" - ] - }, - "description": "Back Orifice (often shortened to BO) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location.", - "value": "Back Orifice" - }, - { - "meta": { - "synonyms": [ - "NetBus" - ], - "refs": [ - "http://www.symantec.com/avcenter/warn/backorifice.html", - "https://www.f-secure.com/v-descs/netbus.shtml" - ], - "date": "1998" - }, - "description": "NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.", - "value": "Netbus" - }, - { - "meta": { - "synonyms": [ - "Poison Ivy", - "Backdoor.Win32.PoisonIvy", - "Gen:Trojan.Heur.PT" - ], - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", - "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" - ] - }, - "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", - "value": "PoisonIvy" - }, - { - "meta": { - "synonyms": [ - "SubSeven", - "Sub7Server" - ], - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2001-020114-5445-99" - ], - "date": "1999" - }, - "description": "Sub7, or SubSeven or Sub7Server, is a Trojan horse program.[1] Its name was derived by spelling NetBus backwards (\"suBteN\") and swapping \"ten\" with \"seven\". Sub7 was created by Mobman. Mobman has not maintained or updated the software since 2004, however an author known as Read101 has carried on the Sub7 legacy.", - "value": "Sub7" - }, - { - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Beast_(Trojan_horse)" - ], - "date": "2002" - }, - "description": "Beast is a Windows-based backdoor trojan horse, more commonly known in the hacking community as a Remote Administration Tool or a \"RAT\". It is capable of infecting versions of Windows from 95 to 10.", - "value": "Beast Trojan" - }, - { - "meta": { - "refs": [ - "https://www.revolvy.com/main/index.php?s=Bifrost%20(trojan%20horse)&item_type=topic", - "http://malware-info.blogspot.lu/2008/10/bifrost-trojan.html" - ], - "date": "2004" - }, - "description": "Bifrost is a discontinued backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10 (although on modern Windows systems, after Windows XP, its functionality is limited). Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor).", - "value": "Bifrost" - }, - { - "meta": { - "refs": [ - "https://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming/" - ], - "date": "2010" - }, - "description": "Blackshades is the name of a malicious trojan horse used by hackers to control computers remotely. The malware targets computers using Microsoft Windows -based operating systems.[2] According to US officials, over 500,000 computer systems have been infected worldwide with the software.", - "value": "Blackshades" - }, - { - "meta": { - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", - "https://blogs.cisco.com/security/talos/darkkomet-rat-spam" - ], - "synonyms": [ - "Dark Comet" - ], - "date": "2008" - }, - "description": "DarkComet is a Remote Administration Tool (RAT) which was developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from the United Kingdom. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012.", - "value": "DarkComet" - }, - { - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2002-121116-0350-99" - ], - "date": "2002" - }, - "description": "Backdoor.Lanfiltrator is a backdoor Trojan that gives an attacker unauthorized access to a compromised computer. The detection is used for a family of Trojans that are produced by the Backdoor.Lanfiltrator generator.", - "value": "Lanfiltrator" - }, - { - "meta": { - "refs": [ - "http://lexmarket.su/thread-27692.html", - "https://www.nulled.to/topic/129749-win32hsidir-rat/" - ] - }, - "description": "Win32.HsIdir is an advanced remote administrator tool systems was done by the original author HS32-Idir, it is the development of the release made since 2006 Copyright © 2006-2010 HS32-Idir.", - "value": "Win32.HsIdir" - }, - { - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Optix_Pro", - "https://www.symantec.com/security_response/writeup.jsp?docid=2002-090416-0521-99", - "https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20208" - ], - "date": "2002" - }, - "description": "Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K", - "value": "Optix Pro" - }, - { - "meta": { - "synonyms": [ - "BO2k" - ], - "refs": [ - "https://en.wikipedia.org/wiki/Back_Orifice_2000", - "https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=10229", - "https://www.symantec.com/security_response/writeup.jsp?docid=2000-121814-5417-99", - "https://www.f-secure.com/v-descs/bo2k.shtml" - ], - "date": "1998" - }, - "description": "Back Orifice 2000 (often shortened to BO2k) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software. Back Orifice 2000 is a new version of the famous Back Orifice backdoor trojan (hacker's remote access tool). It was created by the Cult of Dead Cow hackers group in July 1999. Originally the BO2K was released as a source code and utilities package on a CD-ROM. There are reports that some files on that CD-ROM were infected with CIH virus, so the people who got that CD might get infected and spread not only the compiled backdoor, but also the CIH virus. ", - "value": "Back Orifice 2000" - }, - { - "meta": { - "synonyms": [ - "VNC Connect", - "VNC Viewer" - ], - "refs": [ - "https://www.realvnc.com/" - ] - }, - "description": "The software consists of a server and client application for the Virtual Network Computing (VNC) protocol to control another ", - "value": "RealVNC" - }, - { - "meta": { - "synonyms": [ - "UNRECOM", - "UNiversal REmote COntrol Multi-Platform", - "Frutas", - "AlienSpy", - "Unrecom", - "Jsocket", - "JBifrost" - ], - "refs": [ - "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf", - "https://www.f-secure.com/v-descs/backdoor_java_adwind.shtml", - "https://blog.fortinet.com/2016/08/16/jbifrost-yet-another-incarnation-of-the-adwind-rat" - ], - "date": "2011" - }, - "description": "Backdoor:Java/Adwind is a Java archive (.JAR) file that drops a malicious component onto the machines and runs as a backdoor. When active, it is capable of stealing user information and may also be used to distribute other malware. ", - "value": "Adwind RAT" - }, - { - "meta": { - "refs": [ - "https://www.virustotal.com/en/file/b31812e5b4c63c5b52c9b23e76a5ea9439465ab366a9291c6074bfae5c328e73/analysis/1359376345/" - ] - }, - "value": "Albertino Advanced RAT" - }, - { - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-112912-5237-99", - "http://blog.trendmicro.com/trendlabs-security-intelligence/tsunami-warning-leads-to-arcom-rat/" - ] - }, - "description": "The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00.", - "value": "Arcom" - }, - { - "meta": { - "refs": [ - "https://leakforums.net/thread-18123?tid=18123&&pq=1" - ] - }, - "description": "BlackNix rat is a rat coded in delphi. ", - "value": "BlackNix" - }, - { - "meta": { - "refs": [ - "https://leakforums.net/thread-123872", - "https://techanarchy.net/2014/02/blue-banana-rat-config/" - ], - "date": "2012" - }, - "description": "Blue Banana is a RAT (Remote Administration Tool) created purely in Java", - "value": "Blue Banana" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" - ], - "date": "2013" - }, - "description": "Bozok, like many other popular RATs, is freely available. The author of the Bozok RAT goes by the moniker “Slayer616” and has created another RAT known as Schwarze Sonne, or “SS-RAT” for short. Both of these RATs are free and easy to find — various APT actors have used both in previous targeted attacks.", - "value": "Bozok" - }, - { - "meta": { - "refs": [ - "https://sinister.ly/Thread-ClientMesh-RAT-In-Built-FUD-Crypter-Stable-DDoSer-No-PortForwading-40-Lifetime", - "https://blog.yakuza112.org/2012/clientmesh-rat-v5-cracked-clean/" - ] - }, - "description": "ClientMesh is a Remote Administration Application yhich allows a user to control a number of client PCs from around the world.", - "value": "ClientMesh" - }, - { - "meta": { - "refs": [ - "http://www.hackersthirst.com/2011/03/cybergate-rat-hacking-facebook-twitter.html", - "http://www.nbcnews.com/id/41584097/ns/technology_and_science-security/t/cybergate-leaked-e-mails-hint-corporate-hacking-conspiracy/" - ], - "date": "2011" - }, - "description": "CyberGate is a powerful, fully configurable and stable Remote Administration Tool coded in Delphi that is continuously getting developed. Using cybergate you can log the victim's passwords and can also get the screen shots of his computer's screen.", - "value": "CyberGate" - }, - { - "meta": { - "refs": [ - "http://meinblogzumtesten.blogspot.lu/2013/05/dark-ddoser-v56c-cracked.html" - ] - }, - "value": "Dark DDoSeR" - }, - { - "meta": { - "synonyms": [ - "DarkRAT" - ], - "refs": [ - "https://www.infosecurity-magazine.com/blogs/the-dark-rat/", - "http://darkratphp.blogspot.lu/" - ], - "date": "2005" - }, - "description": "In March 2017, Fujitsu Cyber Threat Intelligence uncovered a newly developed remote access tool referred to by its developer as ‘Dark RAT’ – a tool used to steal sensitive information from victims. Offered as a Fully Undetectable build (FUD) the RAT has a tiered price model including 24/7 support and an Android version. Android malware has seen a significant rise in interest and in 2015 this resulted in the arrests of a number of suspects involved in the infamous DroidJack malware.", - "value": "DarkRat" - }, - { - "meta": { - "refs": [ - "https://sites.google.com/site/greymecompany/greame-rat-project" - ] - }, - "value": "Greame" - }, - { - "meta": { - "refs": [ - "http://securityaffairs.co/wordpress/54837/hacking/one-stop-shop-hacking.html" - ], - "date": "2003" - }, - "description": "HawkEye is a popular RAT that can be used as a keylogger, it is also able to identify login events and record the destination, username, and password.", - "value": "HawkEye" - }, - { - "meta": { - "refs": [ - "https://www.rekings.com/shop/jrat/" - ], - "synonyms": [ - "JacksBot" - ], - "date": "2012" - }, - "description": "jRAT is the cross-platform remote administrator tool that is coded in Java, Because its coded in Java it gives jRAT possibilities to run on all operation systems, Which includes Windows, Mac OSX and Linux distributions.", - "value": "jRAT" - }, - { - "meta": { - "refs": [ - "https://leakforums.net/thread-479505" - ], - "date": "2013" - }, - "description": "jSpy is a Java RAT. ", - "value": "jSpy" - }, - { - "meta": { - "refs": [ - "https://leakforums.net/thread-284656" - ] - }, - "description": "Just saying that this is a very badly coded RAT by the biggest skid in this world, that is XilluX. The connection is very unstable, the GUI is always flickering because of the bad Multi-Threading and many more bugs.", - "value": "LuxNET" - }, - { - "meta": { - "refs": [ - "https://www.cyber.nj.gov/threat-profiles/trojan-variants/njrat" - ], - "synonyms": [ - "Njw0rm" - ], - "date": "2012" - }, - "description": "NJRat is a remote access trojan (RAT), first spotted in June 2013 with samples dating back to November 2012. It was developed and is supported by Arabic speakers and mainly used by cybercrime groups against targets in the Middle East. In addition to targeting some governments in the region, the trojan is used to control botnets and conduct other typical cybercrime activity. It infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams.", - "value": "NJRat" - }, - { - "meta": { - "refs": [ - "https://www.rekings.com/pandora-rat-2-2/" - ], - "date": "2002" - }, - "description": "Remote administrator tool that has been developed for Windows operation system. With advanced features and stable structure, Pandora’s structure is based on advanced client / server architecture. was configured using modern technology.", - "value": "Pandora" - }, - { - "meta": { - "synonyms": [ - "PredatorPain" - ], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/predator-pain-and-limitless-behind-the-fraud/", - "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-predator-pain-and-limitless.pdf" - ] - }, - "description": "Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved.", - "value": "Predator Pain" - }, - { - "meta": { - "refs": [ - "http://punisher-rat.blogspot.lu/" - ], - "date": "2007" - }, - "description": "Remote administration tool", - "value": "Punisher RAT" - }, - { - "meta": { - "refs": [ - "https://www.rekings.com/spygate-rat-3-2/", - "https://www.symantec.com/security_response/attacksignatures/detail.jsp%3Fasid%3D27950", - "http://spygate-rat.blogspot.lu/" - ] - }, - "description": "This is tool that allow you to control your computer form anywhere in world with full support to unicode language. ", - "value": "SpyGate" - }, - { - "meta": { - "synonyms": [ - "SmallNet" - ], - "refs": [ - "http://small-net-rat.blogspot.lu/" - ] - }, - "description": "RAT", - "value": "Small-Net" - }, - { - "meta": { - "refs": [ - "https://www.rekings.com/vantom-rat/" - ] - }, - "description": "Vantom is a free RAT with good option and very stable.", - "value": "Vantom" - }, - { - "meta": { - "refs": [ - "https://leakforums.net/thread-497480" - ] - }, - "description": "Xena RAT is a fully-functional, stable, state-of-the-art RAT, coded in a native language called Delphi, it has almost no dependencies.", - "value": "Xena" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html" - ], - "date": "2010" - }, - "description": "This malware has been used in targeted attacks as well as traditional cybercrime. During our investigation we found that the majority of XtremeRAT activity is associated with spam campaigns that typically distribute Zeus variants and other banking-focused malware. ", - "value": "XtremeRAT" - }, - { - "meta": { - "refs": [ - "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data" - ], - "date": "2012" - }, - "description": "NetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers.", - "value": "Netwire" - }, - { - "meta": { - "refs": [ - "https://www.volexity.com/blog/2017/03/23/have-you-been-haunted-by-the-gh0st-rat-today/" - ], - "date": "2001" - }, - "description": "Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program. .", - "value": "Gh0st RAT" - }, - { - "meta": { - "refs": [ - "http://www.zunzutech.com/blog/security/analysis-of-plasma-rats-source-code/" - ] - }, - "description": "Plasma RAT’s stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version.", - "value": "Plasma RAT" - }, - { - "meta": { - "refs": [ - "https://www.rekings.com/babylon-rat/" - ] - }, - "description": "Babylon is a highly advanced remote administration tool with no dependencies. The server is developed in C++ which is an ideal language for high performance and the client is developed in C#(.Net Framework 4.5)", - "value": "Babylon" - }, - { - "meta": { - "refs": [ - "http://www.imminentmethods.info/" - ] - }, - "description": "RAT", - "value": "Imminent Monitor" - }, - { - "meta": { - "refs": [ - "http://droidjack.net/" - ] - }, - "description": "DroidJack is a RAT (Remote Access Trojan/Remote Administration Tool) nature of remote accessing, monitoring and managing tool (Java based) for Android mobile OS. You can use it to perform a complete remote control to any Android devices infected with DroidJack through your PC. It comes with powerful function and user-friendly operation – even allows attackers to fully take over the mobile phone and steal, record the victim’s private data wilfully.", - "value": "DroidJack" - }, - { - "meta": { - "refs": [ - "https://github.com/quasar/QuasarRAT" - ], - "date": "2014" - }, - "description": "Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface", - "value": "Quasar RAT" - }, - { - "meta": { - "refs": [ - "https://github.com/qqshow/dendroid", - "https://github.com/nyx0/Dendroid" - ], - "date": "2014" - }, - "description": "Dendroid is malware that affects Android OS and targets the mobile platform. It was first discovered in early of 2014 by Symantec and appeared in the underground for sale for $300. Some things were noted in Dendroid, such as being able to hide from emulators at the time. When first discovered in 2014 it was one of the most sophisticated Android remote administration tools known at that time. It was one of the first Trojan applications to get past Google's Bouncer and caused researchers to warn about it being easier to create Android malware due to it. It also seems to have follow in the footsteps of Zeus and SpyEye by having simple-to-use command and control panels. The code appeared to be leaked somewhere around 2014. It was noted that an apk binder was included in the leak, which provided a simple way to bind Dendroid to legitimate applications.", - "value": "Dendroid" - }, - { - "meta": { - "refs": [ - "https://github.com/shotskeber/Ratty" - ], - "date": "2016" - }, - "description": "A Java R.A.T. program", - "value": "Ratty" - }, - { - "meta": { - "refs": [ - "http://level23hacktools.com/forum/showthread.php?t=27971", - "https://leakforums.net/thread-405562?tid=405562&&pq=1" - ] - }, - "description": "Java RAT", - "value": "RaTRon" - }, - { - "meta": { - "refs": [ - "http://arabian-attacker.software.informer.com/" - ], - "date": "2006" - }, - "value": "Arabian-Attacker RAT" - }, - { - "meta": { - "refs": [ - "https://latesthackingnews.com/2015/05/31/how-to-hack-android-phones-with-androrat/", - "https://github.com/wszf/androrat" - ] - }, - "description": "Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server.", - "value": "Androrat" - }, - { - "meta": { - "refs": [ - "http://adzok.com/" - ] - }, - "description": "Remote Administrator", - "value": "Adzok" - }, - { - "meta": { - "synonyms": [ - "SS-RAT", - "Schwarze Sonne" - ], - "refs": [ - "https://github.com/mwsrc/Schwarze-Sonne-RAT" - ], - "date": "2010" - }, - "value": "Schwarze-Sonne-RAT" - }, - { - "meta": { - "refs": [ - "https://www.indetectables.net/viewtopic.php?t=24245" - ] - }, - "value": "Cyber Eye RAT" - }, - { - "value": "Batch NET" - }, - { - "meta": { - "refs": [ - "https://leakforums.net/thread-530663" - ] - }, - "value": "RWX RAT" - }, - { - "meta": { - "refs": [ - "http://spynet-rat-officiel.blogspot.lu/" - ], - "date": "2010" - }, - "description": "Spy-Net is a software that allow you to control any computer in world using Windows Operating System.He is back using new functions and good options to give you full control of your remote computer.Stable and fast, this software offer to you a good interface, creating a easy way to use all his functions", - "value": "Spynet" - }, - { - "meta": { - "refs": [ - "https://leakforums.net/thread-559871" - ] - }, - "value": "CTOS" - }, - { - "meta": { - "refs": [ - "https://github.com/mwsrc/Virus-RAT-v8.0-Beta" - ] - }, - "value": "Virus RAT" - }, - { - "meta": { - "refs": [ - "http://www.atelierweb.com/products/" - ] - }, - "value": "Atelier Web Remote Commander" - }, - { - "meta": { - "refs": [ - "https://github.com/chrismattmann/drat" - ] - }, - "description": "A distributed, parallelized (Map Reduce) wrapper around Apache™ RAT to allow it to complete on large code repositories of multiple file types where Apache™ RAT hangs forev", - "value": "drat" - }, - { - "meta": { - "refs": [ - "https://www.f-secure.com/v-descs/mosuck.shtml" - ] - }, - "description": "MoSucker is a powerful backdoor - hacker's remote access tool.", - "value": "MoSucker" - }, - { - "meta": { - "refs": [ - "http://www.grayhatforum.org/thread-4373-post-5213.html#pid5213", - "http://www.spy-emergency.com/research/T/Theef_Download_Creator.html", - "http://www.spy-emergency.com/research/T/Theef.html" - ], - "date": "2002" - }, - "value": "Theef" - }, - { - "meta": { - "refs": [ - "http://prorat.software.informer.com/", - "http://malware.wikia.com/wiki/ProRat" - ], - "date": "2002" - }, - "description": "ProRat is a Microsoft Windows based backdoor trojan, more commonly known as a Remote Administration Tool. As with other trojan horses it uses a client and server. ProRat opens a port on the computer which allows the client to perform numerous operations on the server (the machine being controlled). ", - "value": "ProRat" - }, - { - "meta": { - "refs": [ - "https://sites.google.com/site/greymecompany/setro-rat-project" - ] - }, - "value": "Setro" - }, - { - "meta": { - "refs": [ - "http://www.connect-trojan.net/2015/03/indetectables-rat-v.0.5-beta.html" - ] - }, - "value": "Indetectables RAT" - }, - { - "meta": { - "refs": [ - "https://luminosity.link/" - ] - }, - "value": "Luminosity Link" - }, - { - "meta": { - "refs": [ - "https://orcustechnologies.com/" - ], - "date": "2015" - }, - "value": "Orcus" - }, - { - "meta": { - "refs": [ - "http://www.connect-trojan.net/2014/10/blizzard-rat-lite-v1.3.1.html" - ] - }, - "value": "Blizzard" - }, - { - "meta": { - "refs": [ - "https://www.rekings.com/kazybot-lite-php-rat/", - "http://telussecuritylabs.com/threats/show/TSL20150122-06" - ] - }, - "value": "Kazybot" - }, - { - "meta": { - "refs": [ - "http://www.connect-trojan.net/2015/01/bx-rat-v1.0.html" - ], - "date": "2014" - }, - "value": "BX" - }, - { - "value": "death" - }, - { - "meta": { - "refs": [ - "https://rubear.me/threads/sky-wyder-2016-cracked.127/" - ] - }, - "value": "Sky Wyder" - }, - { - "meta": { - "refs": [ - "https://www.rekings.com/darktrack-4-alien/", - "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml" - ], - "date": "2017" - }, - "value": "DarkTrack" - }, - { - "meta": { - "refs": [ - "https://github.com/c4bbage/xRAT" - ], - "date": "2017" - }, - "description": "Free, Open-Source Remote Administration Tool. xRAT 2.0 is a fast and light-weight Remote Administration Tool coded in C# (using .NET Framework 2.0).", - "value": "xRAT" - }, - { - "meta": { - "refs": [ - "http://sakhackingarticles.blogspot.lu/2014/08/biodox-rat.html" - ] - }, - "value": "Biodox" - }, - { - "meta": { - "refs": [ - "https://leakforums.net/thread-31386?tid=31386&&pq=1" - ] - }, - "description": "Offense RAT is a free renote administration tool made in Delphi 9.", - "value": "Offence" - }, - { - "meta": { - "refs": [ - "https://leakforums.net/thread-36962" - ], - "date": "2009" - }, - "value": "Apocalypse" - }, - { - "meta": { - "refs": [ - "https://leakforums.net/thread-363920" - ], - "date": "2013" - }, - "value": "JCage" - }, - { - "meta": { - "refs": [ - "http://malware.wikia.com/wiki/Nuclear_RAT", - "http://www.nuclearwintercrew.com/Products-View/21/Nuclear_RAT_2.1.0/" - ] - }, - "description": "Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003).", - "value": "Nuclear RAT" - }, - { - "meta": { - "refs": [ - "http://ozonercp.com/" - ] - }, - "description": "C++ REMOTE CONTROL PROGRAM", - "value": "Ozone" - }, - { - "meta": { - "refs": [ - "https://github.com/alienwithin/xanity-php-rat" - ] - }, - "value": "Xanity" - }, - { - "meta": { - "synonyms": [ - "Dark Moon" - ] - }, - "value": "DarkMoon" - }, - { - "meta": { - "refs": [ - "http://broad-product.biz/forum/r-a-t-(remote-administration-tools)/xpert-rat-3-0-10-by-abronsius(vb6)/", - "https://www.nulled.to/topic/18355-xpert-rat-309/", - "https://trickytamilan.blogspot.lu/2016/03/xpert-rat.html" - ] - }, - "value": "Xpert" - }, - { - "meta": { - "refs": [ - "https://www.alienvault.com/blogs/labs-research/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off" - ], - "synonyms": [ - "Njw0rm" - ] - }, - "description": "This remote access trojan (RAT) has capabilities ranging from manipulating the registry to opening a reverse shell. From stealing credentials stored in browsers to accessing the victims webcam. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread utilizing physic devices, such as USB drives, but also to use the victim as a pivot point to gain more access laterally throughout the network. This remote access trojan could be classified as a variant of the well known njrat, as they share many similar features such as their display style, several abilities and a general template for communication methods . However, where njrat left off KilerRat has taken over. KilerRat is a very feature rich RAT with an active development force that is rapidly gaining in popularity amongst the middle eastern community and the world.", - "value": "Kiler RAT" - }, - { - "value": "Brat" - }, - { - "value": "MINI-MO" - }, - { - "meta": { - "refs": [ - "http://lost-door.blogspot.lu/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/", - "https://www.cyber.nj.gov/threat-profiles/trojan-variants/lost-door-rat" - ], - "synonyms": [ - "LostDoor" - ], - "date": "2010" - }, - "description": "Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. It’s promoted on social media sites like YouTube and Facebook. Its maker, “OussamiO,” even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.", - "value": "Lost Door" - }, - { - "meta": { - "refs": [ - "https://www.rekings.com/loki-rat-php-rat/" - ] - }, - "description": "Loki RAT is a php RAT that means no port forwarding is needed for this RAT, If you dont know how to setup this RAT click on tutorial.", - "value": "Loki RAT" - }, - { - "meta": { - "refs": [ - "https://github.com/BahNahNah/MLRat" - ] - }, - "value": "MLRat" - }, - { - "meta": { - "refs": [ - "http://perfect-conexao.blogspot.lu/2014/09/spycronic-1021.html", - "http://www.connect-trojan.net/2013/09/spycronic-v1.02.1.html", - "https://ranger-exploit.com/spycronic-v1-02-1/" - ] - }, - "value": "SpyCronic" - }, - { - "meta": { - "refs": [ - "https://github.com/n1nj4sec/pupy" - ], - "date": "2015" - }, - "description": "Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python ", - "value": "Pupy" - }, - { - "meta": { - "refs": [ - "http://novarat.sourceforge.net/" - ], - "date": "2002" - }, - "description": "Nova is a proof of concept demonstrating screen sharing over UDP hole punching.", - "value": "Nova" - }, - { - "meta": { - "refs": [ - "https://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=9401&signatureSubId=2", - "https://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=9401&signatureSubId=0&softwareVersion=6.0&releaseVersion=S177", - "https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20292", - "https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20264" - ], - "synonyms": [ - "Back Door Y3K RAT", - "Y3k" - ], - "date": "1998" - }, - "value": "BD Y3K RAT" - }, - { - "meta": { - "refs": [ - "http://turkojan.blogspot.lu/" - ], - "date": "2003" - }, - "description": "Turkojan is a remote administration and spying tool for Microsoft Windows operating systems.", - "value": "Turkojan" - }, - { - "meta": { - "refs": [ - "http://josh.com/tiny/" - ] - }, - "description": "TINY is a set of programs that lets you control a DOS computer from any Java-capable machine over a TCP/IP connection. It is comparable to programs like VNC, CarbonCopy, and GotoMyPC except that the host machine is a DOS computer rather than a Windows one.", - "value": "TINY" - }, - { - "meta": { - "refs": [ - "https://www.security-database.com/toolswatch/SharK-3-Remote-Administration-Tool.html", - "http://lpc1.clpccd.cc.ca.us/lpc/mdaoud/CNT7501/NETLABS/Ethical_Hacking_Lab_05.pdf" - ], - "synonyms": [ - "SHARK", - "Shark" - ], - "date": "2008" - }, - "description": "sharK is an advanced reverse connecting, firewall bypassing remote administration tool written in VB6. With sharK you will be able to administrate every PC (using Windows OS) remotely.", - "value": "SharK" - }, - { - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2003-022018-5040-99" - ], - "synonyms": [ - "Backdoor.Blizzard", - "Backdoor.Fxdoor", - "Backdoor.Snowdoor", - "Backdoor:Win32/Snowdoor" - ] - }, - "description": "Backdoor.Snowdoor is a Backdoor Trojan Horse that allows unauthorized access to an infected computer. It creates an open C drive share with its default settings. By default, the Trojan listens on port 5,328.", - "value": "Snowdoor" - }, - { - "meta": { - "refs": [ - "https://www.nulled.to/topic/155464-paradox-rat/" - ] - }, - "value": "Paradox" - }, - { - "meta": { - "refs": [ - "https://www.rekings.com/spynote-v4-android-rat/" - ] - }, - "description": "Android RAT", - "value": "SpyNote" - }, - { - "value": "ZOMBIE SLAYER" - }, - { - "value": "HTTP WEB BACKDOOR" - }, - { - "meta": { - "refs": [ - "https://networklookout.com/help/" - ] - }, - "description": "Net Monitor for Employees lets you see what everyone's doing - without leaving your desk. Monitor the activity of all employees. Plus you can share your screen with your employees PCs, making demos and presentations much easier.", - "value": "NET-MONITOR PRO" - }, - { - "meta": { - "refs": [ - "http://www.dameware.com/dameware-mini-remote-control" - ], - "synonyms": [ - "dameware" - ] - }, - "description": "Affordable remote control software for all your customer support and help desk needs.", - "value": "DameWare Mini Remote Control" - }, - { - "meta": { - "refs": [ - "https://www.remoteutilities.com/" - ] - }, - "description": "Remote Utilities is a free remote access program with some really great features. It works by pairing two remote computers together with what they call an \"Internet ID.\" You can control a total of 10 PCs with Remote Utilities.", - "value": "Remote Utilities" - }, - { - "meta": { - "refs": [ - "http://ammyy-admin.soft32.com/" - ], - "synonyms": [ - "Ammyy" - ], - "date": "2011" - }, - "description": "Ammyy Admin is a completely portable remote access program that's extremely simple to setup. It works by connecting one computer to another via an ID supplied by the program.", - "value": "Ammyy Admin" - }, - { - "meta": { - "refs": [ - "http://www.uvnc.com/" - ] - }, - "description": "UltraVNC works a bit like Remote Utilities, where a server and viewer is installed on two PCs, and the viewer is used to control the server.", - "value": "Ultra VNC" - }, - { - "meta": { - "refs": [ - "http://www.aeroadmin.com/en/" - ] - }, - "description": "AeroAdmin is probably the easiest program to use for free remote access. There are hardly any settings, and everything is quick and to the point, which is perfect for spontaneous support.", - "value": "AeroAdmin" - }, - { - "description": "Windows Remote Desktop is the remote access software built into the Windows operating system. No additional download is necessary to use the program.", - "value": "Windows Remote Desktop" - }, - { - "meta": { - "refs": [ - "https://www.remotepc.com/" - ] - }, - "description": "RemotePC, for good or bad, is a more simple free remote desktop program. You're only allowed one connection (unless you upgrade) but for many of you, that'll be just fine.", - "value": "RemotePC" - }, - { - "meta": { - "refs": [ - "http://seecreen.com/" - ], - "synonyms": [ - "Firnass" - ] - }, - "description": "Seecreen (previously called Firnass) is an extremely tiny (500 KB), yet powerful free remote access program that's absolutely perfect for on-demand, instant support.", - "value": "Seecreen" - }, - { - "meta": { - "refs": [ - "https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp?hl=en" - ] - }, - "description": "Chrome Remote Desktop is an extension for the Google Chrome web browser that lets you setup a computer for remote access from any other Chrome browser.", - "value": "Chrome Remote Desktop" - }, - { - "meta": { - "refs": [ - "https://anydesk.com/remote-desktop" - ] - }, - "description": "AnyDesk is a remote desktop program that you can run portably or install like a regular program.", - "value": "AnyDesk" - }, - { - "meta": { - "refs": [ - "http://www.litemanager.com/" - ] - }, - "description": "LiteManager is another remote access program, and it's strikingly similar to Remote Utilities, which I explain on the first page of this list. However, unlike Remote Utilities, which can control a total of only 10 PCs, LiteManager supports up to 30 slots for storing and connecting to remote computers, and also has lots of useful features.", - "value": "LiteManager" - }, - { - "meta": { - "refs": [ - "https://www.comodo.com/home/download/download.php?prod=comodounite" - ] - }, - "description": "Comodo Unite is another free remote access program that creates a secure VPN between multiple computers. Once a VPN is established, you can remotely have access to applications and files through the client software.", - "value": "Comodo Unite" - }, - { - "meta": { - "refs": [ - "https://showmypc.com/" - ] - }, - "description": "ShowMyPC is a portable and free remote access program that's nearly identical to UltraVNC but uses a password to make a connection instead of an IP address.", - "value": "ShowMyPC" - }, - { - "meta": { - "refs": [ - "https://www.join.me/" - ] - }, - "description": "join.me is a remote access program from the producers of LogMeIn that provides quick access to another computer over an internet browser.", - "value": "join.me" - }, - { - "meta": { - "refs": [ - "http://www.nchsoftware.com/remotedesktop/index.html" - ] - }, - "description": "DesktopNow is a free remote access program from NCH Software. After optionally forwarding the proper port number in your router, and signing up for a free account, you can access your PC from anywhere through a web browser.", - "value": "DesktopNow" - }, - { - "meta": { - "refs": [ - "http://www.beamyourscreen.com/" - ] - }, - "description": "Another free and portable remote access program is BeamYourScreen. This program works like some of the others in this list, where the presenter is given an ID number they must share with another user so they can connect to the presenter's screen.", - "value": "BeamYourScreen" - }, - { - "value": "Casa RAT" - }, - { - "meta": { - "refs": [ - "http://www.nuclearwintercrew.com/Products-View/57/Bandook_RAT_v1.35__NEW_/" - ], - "date": "2005" - }, - "description": "Bandook is a FWB#++ reverse connection rat (Remote Administration Tool), with a small size server when packed 30 KB, and a long list of amazing features", - "value": "Bandook RAT" - }, - { - "meta": { - "refs": [ - "http://www.hacktohell.org/2011/05/setting-up-cerberus-ratremote.html" - ], - "date": "2009" - }, - "value": "Cerberus RAT" - }, - { - "value": "Syndrome RAT", - "meta": { - "date": "2010" - } - }, - { - "meta": { - "refs": [ - "http://www.spy-emergency.com/research/S/Snoopy.html" - ], - "date": "2002" - }, - "description": "Snoopy is a Remote Administration Tool. Software for controlling user computer remotely from other computer on local network or Internet.", - "value": "Snoopy" - }, - { - "value": "5p00f3r.N$ RAT", - "meta": { - "date": "2010" - } - }, - { - "meta": { - "synonyms": [ - "P.Storrie RAT" - ], - "date": "2011" - }, - "value": "P. Storrie RAT" - }, - { - "value": "xHacker Pro RAT", - "meta": { - "date": "2007" - } - }, - { - "meta": { - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2002-021310-3452-99" - ] - }, - "description": "Backdoor.NetDevil allows a hacker to remotely control an infected computer.", - "value": "NetDevil" - }, - { - "meta": { - "refs": [ - "https://www.digitrustgroup.com/nanocore-not-your-average-rat/" - ] - }, - "description": "In September of 2015, a DigiTrust client visited a web link that was providing an Adobe Flash Player update. The client, an international retail organization, attempted to download and run what appeared to be a regular update. The computer trying to download this update was a back office system that processed end of day credit card transactions. This system also had the capability of connecting to the corporate network which contained company sales reports.\nDigiTrust experts were alerted to something malicious and blocked the download. The investigation found that what appeared to be an Adobe Flash Player update, was a Remote Access Trojan called NanoCore. If installation had been successful, customer credit card data, personal information, and internal sales information could have been captured and monetized. During the analysis of NanoCore, our experts found that there was much more to this RAT than simply being another Remote Access Trojan.", - "value": "NanoCore" - }, - { - "description": "The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family", - "value": "Cobian RAT", - "meta": { - "refs": [ - "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" - ], - "date": "2017" - } - }, - { - "description": "NetSupport Manager continues to deliver the very latest in remote access, PC support and desktop management capabilities. From a desktop, laptop, tablet or smartphone, monitor multiple systems in a single action, deliver hands-on remote support, collaborate and even record or play back sessions. When needed, gather real-time hardware and software inventory, monitor services and even view system config remotely to help resolve issues quickly.", - "value": "Netsupport Manager", - "meta": { - "refs": [ - "http://www.netsupportmanager.com/index.asp" - ], - "date": "1989" - } - }, - { - "value": "Vortex", - "meta": { - "date": "1998" - } - }, - { - "value": "Assassin", - "meta": { - "date": "2002" - } - }, - { - "value": "Net Devil", - "meta": { - "refs": [ - "https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20702" - ], - "date": "2002", - "synonyms": [ - "NetDevil" - ] - } - }, - { - "value": "A4Zeta", - "meta": { - "refs": [ - "http://www.megasecurity.org/trojans/a/a4zeta/A4zeta_b2.html" - ], - "date": "2002" - } - }, - { - "value": "Greek Hackers RAT", - "meta": { - "refs": [ - "http://www.connect-trojan.net/2013/04/greek-hackers-rat-1.0.html?m=0" - ], - "date": "2002" - } - }, - { - "value": "MRA RAT", - "meta": { - "refs": [ - "http://www.connect-trojan.net/2013/04/greek-hackers-rat-1.0.html?m=0" - ], - "date": "2002" - } - }, - { - "value": "Sparta RAT", - "meta": { - "refs": [ - "http://www.connect-trojan.net/2015/09/sparta-rat-1.2-by-azooz-ejram.html" - ], - "date": "2002" - } - }, - { - "value": "LokiTech", - "meta": { - "date": "2003" - } - }, - { - "value": "MadRAT", - "meta": { - "date": "2002" - } - }, - { - "value": "Tequila Bandita", - "meta": { - "refs": [ - "http://www.connect-trojan.net/2013/07/tequila-bandita-1.3b2.html" - ], - "date": "2004" - } - }, - { - "value": "Toquito Bandito", - "meta": { - "refs": [ - "http://www.megasecurity.org/trojans/t/toquitobandito/Toquitobandito_all.html" - ], - "date": "2004" - } - }, - { - "description": "MofoTro is a new rat coded by Cool_mofo_2.", - "value": "MofoTro", - "meta": { - "refs": [ - "http://www.megasecurity.org/trojans/m/mofotro/Mofotro_beta.html", - "http://www.megasecurity.org/trojans/m/mofotro/Mofotroresurrection.html", - "http://www.megasecurity.org/trojans/m/mofotro/Mofotro_beta1.5.html" - ], - "date": "2006" - } - }, - { - "description": "Written in Delphi", - "value": "Hav-RAT", - "meta": { - "refs": [ - "http://www.megasecurity.org/trojans/h/hav/Havrat1.2.html" - ], - "date": "2007" - } - }, - { - "description": "ComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.", - "value": "ComRAT", - "meta": { - "refs": [ - "https://attack.mitre.org/wiki/Software/S0126" - ], - "date": "2007" - } - }, - { - "description": "4H RAT is malware that has been used by Putter Panda since at least 2007.", - "value": "4H RAT", - "meta": { - "refs": [ - "https://attack.mitre.org/wiki/Software/S0065" - ], - "date": "2007" - } - }, - { - "description": "", - "value": "Darknet RAT", - "meta": { - "refs": [ - "http://www.connect-trojan.net/2015/06/dark-net-rat-v.0.3.9.0.html" - ], - "date": "2007", - "synonyms": [ - "Dark NET RAT" - ] - } - }, - { - "value": "CIA RAT", - "meta": { - "date": "2008" - } - }, - { - "value": "Minimo", - "meta": { - "date": "2008" - } - }, - { - "value": "miniRAT", - "meta": { - "date": "2008" - } - }, - { - "value": "Pain RAT", - "meta": { - "date": "2008" - } - }, - { - "description": "PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.", - "value": "PlugX", - "meta": { - "refs": [ - "https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/", - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX" - ], - "synonyms": [ - "Korplug" - ], - "date": "2005 or 2008" - } - }, - { - "description": "The existence of the UNITEDRAKE RAT first came to light in 2014 as part of a series of classified documents leaked by former NSA contractor Edward Snowden.", - "value": "UNITEDRAKE", - "meta": { - "refs": [ - "http://thehackernews.com/2017/09/shadowbrokers-unitedrake-hacking.html", - "https://www.itnews.com.au/news/shadowbrokers-release-unitedrake-nsa-malware-472771" - ], - "date": "2008" - } - }, - { - "description": "Written in Visual Basic", - "value": "MegaTrojan", - "meta": { - "refs": [ - "http://www.megasecurity.org/trojans/m/mega/Megatrojan1.0.html" - ], - "date": "2008" - } - }, - { - "value": "Venomous Ivy", - "meta": { - "date": "2009" - } - }, - { - "value": "Xploit", - "meta": { - "date": "2010" - } - }, - { - "value": "Arctic R.A.T.", - "meta": { - "refs": [ - "http://anti-virus-soft.com/threats/artic" - ], - "synonyms": [ - "Artic" - ], - "date": "2010" - } - }, - { - "value": "GOlden Phoenix", - "meta": { - "refs": [ - "http://www.connect-trojan.net/2014/02/golden-phoenix-rat-0.2.html" - ], - "date": "2010" - } - }, - { - "value": "GraphicBooting", - "meta": { - "refs": [ - "http://www.connect-trojan.net/2014/10/graphicbooting-rat-v0.1-beta.html?m=0" - ], - "date": "2010" - } - }, - { - "value": "Pocket RAT", - "meta": { - "date": "2010" - } - }, - { - "value": "Erebus", - "meta": { - "date": "2010" - } - }, - { - "value": "SharpEye", - "meta": { - "refs": [ - "http://www.connect-trojan.net/2014/10/sharpeye-rat-1.0-beta-1.html", - "http://www.connect-trojan.net/2014/02/sharpeye-rat-1.0-beta-2.html" - ], - "date": "2010" - } - }, - { - "value": "VorteX", - "meta": { - "date": "2010" - } - }, - { - "value": "Archelaus Beta", - "meta": { - "refs": [ - "http://www.connect-trojan.net/2014/02/archelaus-rat-beta.html" - ], - "date": "2010" - } - }, - { - "description": "C# RAT (Remote Adminitration Tool) - Educational purposes only", - "value": "BlackHole", - "meta": { - "refs": [ - "https://github.com/hussein-aitlahcen/BlackHole" - ], - "date": "2011" - } - }, - { - "value": "Vanguard", - "meta": { - "refs": [ - "http://ktwox7.blogspot.lu/2010/12/vanguard-remote-administration.html" - ], - "date": "2010" - } - }, - { - "value": "Ahtapod", - "meta": { - "refs": [ - "http://www.ibtimes.co.uk/turkish-journalist-baris-pehlivan-jailed-terrorism-was-framed-by-hackers-says-report-1577481" - ], - "date": "2011" - } - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html" - ], - "date": "2012" - }, - "description": "Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.", - "value": "FINSPY" - }, - { - "description": "Seed is a firewall bypass plus trojan, injects into default browser and has a simple purpose: to be compact (4kb server size) and useful while uploading bigger and full trojans, or even making Seed download them somewhere. Has computer info, process manager, file manager, with download, create folder, delete, execute and upload. And a remote download function. Everything with a easy to use interface, reminds an instant messenger.", - "value": "Seed RAT", - "meta": { - "refs": [ - "http://www.nuclearwintercrew.com/Products-View/25/Seed_1.1/" - ], - "date": "2004 or 2011" - } - }, - { - "value": "SharpBot", - "meta": { - "date": "2011" - } - }, - { - "value": "TorCT PHP RAT", - "meta": { - "refs": [ - "https://github.com/alienwithin/torCT-PHP-RAT" - ], - "date": "2012" - } - }, - { - "value": "A32s RAT", - "meta": { - "date": "2012" - } - }, - { - "value": "Char0n", - "meta": { - "date": "2012" - } - }, - { - "value": "Nytro", - "meta": { - "date": "2012" - } - }, - { - "value": "Syla", - "meta": { - "refs": [ - "http://www.connect-trojan.net/2013/07/syla-rat-0.3.html" - ], - "date": "2012" - } - }, - { - "description": "Cobalt Strike is software for Adversary Simulations and Red Team Operations.", - "value": "Cobalt Strike", - "meta": { - "refs": [ - "https://www.cobaltstrike.com/" - ], - "date": "2012" - } - }, - { - "description": "The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.", - "value": "Sakula", - "meta": { - "refs": [ - "https://www.secureworks.com/research/sakula-malware-family" - ], - "synonyms": [ - "Sakurel", - "VIPER" - ], - "date": "2012" - } - }, - { - "description": "hcdLoader is a remote access tool (RAT) that has been used by APT18.", - "value": "hcdLoader", - "meta": { - "refs": [ - "https://attack.mitre.org/wiki/Software/S0071" - ], - "date": "2012" - } - }, - { - "value": "Crimson", - "meta": { - "refs": [ - "http://www.connect-trojan.net/2015/01/crimson-rat-3.0.0.html" - ], - "date": "2012" - } - }, - { - "value": "KjW0rm", - "meta": { - "refs": [ - "http://hack-defender.blogspot.fr/2015/12/kjw0rm-v05x.html" - ], - "date": "2013" - } - }, - { - "value": "Ghost", - "meta": { - "refs": [ - "https://www.youtube.com/watch?v=xXZW4ajVYkI" - ], - "synonyms": [ - "Ucul" - ], - "date": "2013" - } - }, - { - "value": "9002", - "meta": { - "date": "2013" - } - }, - { - "value": "Sandro RAT", - "meta": { - "date": "2014" - } - }, - { - "value": "Mega", - "meta": { - "date": "2014" - } - }, - { - "value": "WiRAT", - "meta": { - "date": "2014" - } - }, - { - "value": "3PARA RAT", - "meta": { - "refs": [ - "https://books.google.fr/books?isbn=2212290136" - ] - } - }, - { - "value": "BBS RAT", - "meta": { - "date": "2014" - } - }, - { - "description": "KONNI is a remote access Trojan (RAT) that was first reported in May of 2017, but is believed to have been in use for over 3 years. As Part of our daily threat monitoring, FortiGuard Labs came across a new variant of the KONNI RAT and decided to take a deeper look.", - "value": "Konni", - "meta": { - "refs": [ - "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant", - "https://www.cylance.com/en_us/blog/threat-spotlight-konni-stealthy-remote-access-trojan.html", - "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", - "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html" - ], - "synonyms": [ - "KONNI" - ] - } - }, - { - "value": "Felismus RAT", - "description": "Used by Sowbug", - "meta": { - "date": "2014", - "refs": [ - "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" - ] - } - }, - { - "description": "Xsser mRAT is a piece of malware that targets iOS devices that have software limitations removed. The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server.", - "value": "Xsser", - "meta": { - "refs": [ - "https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html", - "http://malware.wikia.com/wiki/Xsser_mRAT" - ], - "synonyms": [ - "mRAT" - ], - "date": "2014" - } - }, - { - "description": "GovRAT is an old cyberespionage tool, it has been in the wild since 2014 and it was used by various threat actors across the years.", - "value": "GovRAT", - "meta": { - "refs": [ - "http://securityaffairs.co/wordpress/41714/cyber-crime/govrat-platform.html", - "http://securityaffairs.co/wordpress/51202/cyber-crime/govrat-2-0-attacks.html" - ], - "date": "2015" - } - }, - { - "value": "Rottie3", - "meta": { - "refs": [ - "https://www.youtube.com/watch?v=jUg5--68Iqs" - ], - "date": "2015" - } - }, - { - "value": "Killer RAT", - "meta": { - "date": "2015" - } - }, - { - "value": "Hi-Zor", - "meta": { - "refs": [ - "https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat" - ], - "date": "2015" - } - }, - { - "description": "Quaverse RAT or QRAT is a fairly new Remote Access Tool (RAT) introduced in May 2015. This RAT is marketed as an undetectable Java RAT. As you might expect from a RAT, the tool is capable of grabbing passwords, key logging and browsing files on the victim's computer. On a regular basis for the past several months, we have observed the inclusion of QRAT in a number of spam campaigns. ", - "value": "Quaverse", - "meta": { - "refs": [ - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/" - ], - "synonyms": [ - "QRAT" - ], - "date": "2015" - } - }, - { - "value": "Heseber", - "meta": { - "date": "2015" - } - }, - { - "description": "Cardinal is a remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT. The malicious Excel files use different tactics to get the victims to execute it. ", - "value": "Cardinal", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/", - "https://www.scmagazine.com/cardinal-rats-unique-downloader-allowed-it-to-avoid-detection-for-years/article/651927/", - "https://www.cyber.nj.gov/threat-profiles/trojan-variants/cardinal" - ], - "date": "2015" - } - }, - { - "description": "Works on all Android, Windows, Linux and Mac devices!", - "value": "OmniRAT", - "meta": { - "refs": [ - "https://omnirat.eu/en/" - ], - "date": "2015" - } - }, - { - "value": "Jfect", - "meta": { - "refs": [ - "https://www.youtube.com/watch?v=qKdoExQFb68" - ], - "date": "2015" - } - }, - { - "description": "Trochilus is a remote access trojan (RAT) first identified in October 2015 when attackers used it to infect visitors of a Myanmar website. It was then used in a 2016 cyber-espionage campaign, dubbed \"the Seven Pointed Dagger,\" managed by another group, \"Group 27,\" who also uses the PlugX trojan. Trochilus is primarily spread via emails with a malicious .RAR attachment containing the malware. The trojan's functionality includes a shellcode extension, remote uninstall, a file manager, and the ability to download and execute, upload and execute, and access the system information. Once present on a system, Trochilus can move laterally in the network for better access. This trojan operates in memory only and does not write to the disk, helping it evade detection. ", - "value": "Trochilus", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/", - "http://securityaffairs.co/wordpress/43889/cyber-crime/new-rat-trochilus.html" - ], - "date": "2015" - } - }, - { - "description": "Their most commonly used initial attack vector is a simple, yet alarmingly effective, spearphishing attack, infecting unsuspecting victims via a malicious email attachment (usually an executable that has been disguised as something else). From there, Matryoshka runs second stage malware via a dropper and covertly installs a Remote Access Toolkit (RAT). This is done using a reflective loader technique that allows the malware to run in process memory, rather than being written to disk. This not only hides the install of the RAT but also ensures that the RAT will be ‘reinstalled’ after system restart.", - "value": "Matryoshka", - "meta": { - "refs": [ - "https://www.alienvault.com/blogs/security-essentials/matryoshka-malware-from-copykittens-group" - ], - "date": "2015" - } - }, - { - "description": "First discovered by Trend Micro in June, Mangit is a new malware family being marketed on both the Dark web and open internet. Users have the option to rent the trojan's infrastructure for about $600 per 10-day period or buy the source code for about $8,800. Mangit was allegedly developed by \"Ric\", a Brazilian hacker, who makes himself available via Skype to discuss rental agreements. Once the malware is rented or purchased, the user controls a portion of the Mangit botnet, the trojan, the dropper, an auto-update system, and the server infrastructure to run their attacks. Mangit contains support for nine Brazillian banks including Citibank, HSBC, and Santander. The malware can also be used to steal user PayPal credentials. Mangit has the capability to collect banking credentials, receive SMS texts when a victim is accessing their bank account, and take over victim's browsers. To circumvent two-factor authentication, attackers can use Mangit to lock victim's browsers and push pop-ups to the victim asking for the verification code they just received.", - "value": "Mangit", - "meta": { - "refs": [ - "http://virusguides.com/newly-discovered-mangit-malware-offers-banking-trojan-service/", - "https://www.cyber.nj.gov/threat-profiles/trojan-variants/mangit", - "http://news.softpedia.com/news/new-malware-mangit-surfaces-as-banking-trojan-as-a-service-505458.shtml" - ], - "date": "2016" - } - }, - { - "value": "LeGeNd", - "meta": { - "refs": [ - "http://www.connect-trojan.net/2016/08/legend-rat-v1.3-by-ahmed-ibrahim.html", - "http://www.connect-trojan.net/2016/11/legend-rat-v1.9-by-ahmed-ibrahim.html" - ], - "date": "2016" - } - }, - { - "description": "Revenge v0.1 was a simple tool, according to a researcher known as Rui, who says the malware’s author didn’t bother obfuscating the RAT’s source code. This raised a question mark with the researchers, who couldn’t explain why VirusTotal scanners couldn’t pick it up as a threat right away.Revenge, which was written in Visual Basic, also didn’t feature too many working features, compared to similar RATs. Even Napolean admitted that his tool was still in the early development stages, a reason why he provided the RAT for free.", - "value": "Revenge-RAT", - "meta": { - "refs": [ - "http://www.securitynewspaper.com/2016/08/31/unsophisticated-revenge-rat-released-online-free-exclusive/" - ], - "date": "2016" - } - }, - { - "value": "vjw0rm 0.1", - "meta": { - "refs": [ - "https://twitter.com/malwrhunterteam/status/816993165119016960?lang=en" - ], - "date": "2016" - } - }, - { - "description": "ROKRAT is a remote access trojan (RAT) that leverages a malicious Hangual Word Processor (HWP) document sent in spearphishing emails to infect hosts. The HWP document contains an embedded Encapsulated PostScript (EPS) object. The object exploits an EPS buffer overflow vulnerability and downloads a binary disguised as a .JPG file. The file is then decoded and the ROKRAT executable is initiated. The trojan uses legitimate Twitter, Yandex, and Mediafire websites for its command and control communications and exfiltration platforms, making them difficult to block globally. Additionally, the platforms use HTTPS connections, making it more difficult to gather additional data on its activities. Cisco's Talos Group identified two email campaigns. In one, attackers send potential victims emails from an email server of a private university in Seoul, South Korea with a sender email address of \"kgf2016@yonsei.ac.kr,\" the contact email for the Korea Global Forum, adding a sense of legitimacy to the email. It is likely that the email address was compromised and used by the attackers in this campaign. The second is less sophisticated and sends emails claiming to be from a free Korean mail service with a the subject line, \"Request Help\" and attached malicious HWP filename, \"I'm a munchon person in Gangwon-do, North Korea.\" The ROKRAT developer uses several techniques to hinder analysis, including identifying tools usually used by malware analysts or within sandbox environments. Once it has infected a device, this trojan can execute commands, move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes. Researchers believe the developer is a native Korean speaker and the campaign is currently targeting Korean-speakers.", - "value": "rokrat", - "meta": { - "refs": [ - "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", - "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html" - ], - "synonyms": [ - "ROKRAT" - ], - "date": "2016" - } - }, - { - "description": "Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT. Twitter user @hkashfi posted a Tweet saying that one of his friends received a file (US Travel Docs Information.jar) from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland (notice the “i” between “travel” and “docs”).", - "value": "Qarallax", - "meta": { - "refs": [ - "https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/" - ], - "synonyms": [ - "qrat" - ], - "date": "2016" - } - }, - { - "description": "MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.", - "value": "MoonWind", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/", - "https://attack.mitre.org/wiki/Software/S0149" - ], - "date": "2016" - } - }, - { - "description": "Remcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. Since then, it has been updated with more features, and just recently, we’ve seen its payload being distributed in the wild for the first time.", - "value": "Remcos", - "meta": { - "refs": [ - "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2" - ], - "date": "2016" - } - }, - { - "description": "The purpose of the Client Maximus malware is financial fraud. As such, its code aspires to create the capabilities that most banking Trojans have, which allow attackers to monitor victims’ web navigation and interrupt online banking session at will. After taking over a victim’s banking session, an attacker operating this malware can initiate a fraudulent transaction from the account and use social engineering screens to manipulate the unwitting victim into authorizing it.", - "value": "Client Maximus", - "meta": { - "refs": [ - "https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/" - ], - "date": "2016" - } - }, - { - "description": "Thefatrat a massive exploiting tool revealed >> An easy tool to generate backdoor and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most… ", - "value": "TheFat RAT", - "meta": { - "refs": [ - "https://github.com/Screetsec/TheFatRat" - ], - "date": "2016" - } - }, - { - "description": "Since around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by malware ‘RedLeaves’. It is a new type of malware which has been observed since 2016 in attachments to targeted emails.", - "value": "RedLeaves", - "meta": { - "refs": [ - "http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html" - ], - "date": "2016" - } - }, - { - "description": "Dubbed Rurktar, the tool hasn’t had all of its functionality implemented yet, but G DATA says “it is relatively safe to say [it] is intended for use in targeted spying operations.” The malicious program could be used for reconnaissance operations, as well as to spy on infected computers users, and steal or upload files.", - "value": "Rurktar", - "meta": { - "refs": [ - "http://www.securityweek.com/rurktar-malware-espionage-tool-development" - ], - "date": "2017" - } - }, - { - "description": "RATAttack is a remote access trojan (RAT) that uses the Telegram protocol to support encrypted communication between the victim's machine and the attacker. The Telegram protocol also provides a simple method to communicate to the target, negating the need for port forwarding. Before using RATAttack, the attacker must create a Telegram bot and embed the bot's Telegram token into the trojan's configuration file. When a system is infected with RATAttack, it connects to the bot's Telegram channel. The attacker can then connect to the same channel and manage the RATAttack clients on the infected host machines. The trojan's code was available on GitHub then was taken down by the author on April 19, 2017.", - "value": "RATAttack", - "meta": { - "refs": [ - "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ratattack" - ], - "date": "2017" - } - }, - { - "description": "So called because the Command and Control (C2) infrastructure from previous variants of the malware was located in Cambodia, as discussed by Roland Dela Paz at Forecpoint here, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.", - "value": "KhRAT", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/" - ], - "date": "2017" - } - }, - { - "description": "", - "value": "RevCode", - "meta": { - "refs": [ - "https://revcode.eu/" - ], - "date": "2017" - } - }, - { - "description": "Android Remote Administration Tool", - "value": "AhNyth Android", - "meta": { - "refs": [ - "https://github.com/AhMyth/AhMyth-Android-RAT" - ], - "date": "2017" - } - }, - { - "value": "Socket23", - "description": "SOCKET23 was launched from his web site and immedi- ately infected major French corporations between August and October 1998. The virus (distributing the Trojan) was known as W32/HLLP.DeTroie.A (alias W32/Cheval.TCV). Never had a virus so disrupted French industry. The author quickly offered his own remover and made his apologies on his web site (now suppressed). Jean-Christophe X (18) was arrested on Tuesday 15 June 1999 in the Paris area and placed under judicial investigation for ‘fraudulent intrusion of data in a data processing system, suppression and fraudulent modification of data’", - "meta": { - "refs": [ - "https://www.virusbulletin.com/uploads/pdf/magazine/1999/199908.pdf" - ], - "date": "1998" - } - }, - { - "value": "PowerRAT", - "meta": { - "date": "2017" - } - }, - { - "description": "Standard macOS backdoor, offered via a 'malware-as-a-service' model. MacSpy is advertised as the \"most sophisticated Mac spyware ever\", with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.", - "value": "MacSpy", - "meta": { - "refs": [ - "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service", - "https://objective-see.com/blog/blog_0x25.html" - ], - "date": "2017" - } - }, - { - "description": "Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection. ", - "value": "DNSMessenger", - "meta": { - "refs": [ - "http://blog.talosintelligence.com/2017/03/dnsmessenger.html" - ], - "date": "2017" - } - }, - { - "value": "PentagonRAT", - "meta": { - "refs": [ - "http://pentagon-rat.blogspot.fr/" - ], - "date": "2017" - } - }, - { - "description": "NewCore is a remote access trojan first discovered by Fortinet researchers while conducting analysis on a China-linked APT campaign targeting Vietnamese organizations. The trojan is a DLL file, executed after a trojan downloader is installed on the targeted machine. Based on strings in the code, the trojan may be compiled from the publicly-available source code of the PcClient and PcCortr backdoor trojans.", - "value": "NewCore", - "meta": { - "refs": [ - "https://www.cyber.nj.gov/threat-profiles/trojan-variants/newcore", - "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" - ], - "date": "2017" - } - }, - { - "value": "Deeper RAT", - "meta": { - "date": "2010" - } - }, - { - "value": "Xyligan", - "meta": { - "date": "2012" - } - }, - { - "value": "H-w0rm", - "meta": { - "date": "2013" - } - }, - { - "description": "On November 8, 2016 a non-disclosed entity in Laos was spear-phished by a group closely related to known Chinese adversaries and most likely affiliated with the Chinese government. The attackers utilized a new kind of Remote Access Trojan (RAT) that has not been previously observed or reported. The new RAT extends the capabilities of traditional RATs by providing complete remote execution of custom commands and programming. htpRAT, uncovered by RiskIQ cyber investigators, is the newest weapon in the Chinese adversary’s arsenal in a campaign against Association of Southeast Asian Nations (ASEAN). Most RATs can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs and manage files. They support a fixed set of commands operators can execute using different command IDs —’file download’ or ‘file upload,’ for example—and must be completely rebuilt to have different functionality. htpRAT, on the other hand, serves as a conduit for operators to do their job with greater precision and effect. On the Command and Control (C2) server side, threat actors can build new functionality in commands, which can be sent to the malware to execute. This capability makes htpRAT a small, agile, and incredibly dynamic piece of malware. Operators can change functionality, such as searching for a different file on the victim’s network, simply by wrapping commands. ", - "value": "htpRAT", - "meta": { - "refs": [ - "https://cdn.riskiq.com/wp-content/uploads/2017/10/RiskIQ-htpRAT-Malware-Attacks.pdf?_ga=2.159415805.1155855406.1509033001-1017609577.1507615928" - ] - } - }, - { - "description": "According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.", - "value": "FALLCHILL", - "meta": { - "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-318A" - ] - } - }, - { - "description": "Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called UBoatRAT. The initial version of the RAT, found in May of 2017, was simple HTTP backdoor that uses a public blog service in Hong Kong and a compromised web server in Japan for command and control. The developer soon added various new features to the code and released an updated version in June. The attacks with the latest variants we found in September have following characteristics.\nTargets personnel or organizations related to South Korea or video games industry\nDistributes malware through Google Drive\nObtains C2 address from GitHub\nUses Microsoft Windows Background Intelligent Transfer Service(BITS) to maintain persistence.", - "value": "UBoatRAT", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" - ] - } - }, - { - "description": "The EFF/Lookout report describes CrossRat as a “newly discovered desktop surveillanceware tool…which is able to target Windows, OSX, and Linux.”", - "value": "CrossRat", - "meta": { - "refs": [ - "https://digitasecurity.com/blog/2018/01/23/crossrat/" - ] - } - } - ] -} + "name": "RAT", + "type": "rat", + "source": "MISP Project", + "authors": [ + "Various" + ], + "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.", + "uuid": "312f8714-45cb-11e7-b898-135207cdceb9", + "version": 6, + "values": [ + { + "meta": { + "refs": [ + "https://www.teamviewer.com" + ] + }, + "description": "TeamViewer is a proprietary computer software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.", + "value": "TeamViewer", + "uuid": "8ee3c015-3088-4a5f-8c94-602c27d767c0" + }, + { + "value": "JadeRAT", + "description": "JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains.", + "meta": { + "refs": [ + "https://blog.lookout.com/mobile-threat-jaderat" + ] + }, + "uuid": "1cc8963b-5ad4-4e19-8e9a-57b0ff1ef926" + }, + { + "meta": { + "synonyms": [ + "BO" + ], + "refs": [ + "http://www.cultdeadcow.com/tools/bo.html", + "http://www.symantec.com/avcenter/warn/backorifice.html" + ] + }, + "description": "Back Orifice (often shortened to BO) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location.", + "value": "Back Orifice", + "uuid": "20204b13-8ad1-4147-9328-0a9a7ac010b6" + }, + { + "meta": { + "synonyms": [ + "NetBus" + ], + "refs": [ + "http://www.symantec.com/avcenter/warn/backorifice.html", + "https://www.f-secure.com/v-descs/netbus.shtml" + ], + "date": "1998" + }, + "description": "NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.", + "value": "Netbus", + "uuid": "81ff6e46-0ba4-458b-b3b0-750e86404cae" + }, + { + "meta": { + "synonyms": [ + "Poison Ivy", + "Backdoor.Win32.PoisonIvy", + "Gen:Trojan.Heur.PT" + ], + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", + "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" + ] + }, + "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", + "value": "PoisonIvy", + "uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0" + }, + { + "meta": { + "synonyms": [ + "SubSeven", + "Sub7Server" + ], + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2001-020114-5445-99" + ], + "date": "1999" + }, + "description": "Sub7, or SubSeven or Sub7Server, is a Trojan horse program.[1] Its name was derived by spelling NetBus backwards (\"suBteN\") and swapping \"ten\" with \"seven\". Sub7 was created by Mobman. Mobman has not maintained or updated the software since 2004, however an author known as Read101 has carried on the Sub7 legacy.", + "value": "Sub7", + "uuid": "d7369f05-65ce-4e10-916f-41f2f6d4ab59" + }, + { + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Beast_(Trojan_horse)" + ], + "date": "2002" + }, + "description": "Beast is a Windows-based backdoor trojan horse, more commonly known in the hacking community as a Remote Administration Tool or a \"RAT\". It is capable of infecting versions of Windows from 95 to 10.", + "value": "Beast Trojan", + "uuid": "268a4f81-dbfd-4b20-9a54-24eba7a4c781" + }, + { + "meta": { + "refs": [ + "https://www.revolvy.com/main/index.php?s=Bifrost%20(trojan%20horse)&item_type=topic", + "http://malware-info.blogspot.lu/2008/10/bifrost-trojan.html" + ], + "date": "2004" + }, + "description": "Bifrost is a discontinued backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10 (although on modern Windows systems, after Windows XP, its functionality is limited). Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor).", + "value": "Bifrost", + "uuid": "eb62bac0-68fd-4b17-af4f-89c6900ee414" + }, + { + "meta": { + "refs": [ + "https://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming/" + ], + "date": "2010" + }, + "description": "Blackshades is the name of a malicious trojan horse used by hackers to control computers remotely. The malware targets computers using Microsoft Windows -based operating systems.[2] According to US officials, over 500,000 computer systems have been infected worldwide with the software.", + "value": "Blackshades", + "uuid": "3a1fc564-3705-4cc0-8f80-13c58d470d34" + }, + { + "meta": { + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", + "https://blogs.cisco.com/security/talos/darkkomet-rat-spam" + ], + "synonyms": [ + "Dark Comet" + ], + "date": "2008" + }, + "description": "DarkComet is a Remote Administration Tool (RAT) which was developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from the United Kingdom. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012.", + "value": "DarkComet", + "uuid": "8a21ae06-d257-48a0-989b-1c9aebedabc2" + }, + { + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2002-121116-0350-99" + ], + "date": "2002" + }, + "description": "Backdoor.Lanfiltrator is a backdoor Trojan that gives an attacker unauthorized access to a compromised computer. The detection is used for a family of Trojans that are produced by the Backdoor.Lanfiltrator generator.", + "value": "Lanfiltrator", + "uuid": "826e73f8-2241-4c99-848d-8597d685cfd3" + }, + { + "meta": { + "refs": [ + "http://lexmarket.su/thread-27692.html", + "https://www.nulled.to/topic/129749-win32hsidir-rat/" + ] + }, + "description": "Win32.HsIdir is an advanced remote administrator tool systems was done by the original author HS32-Idir, it is the development of the release made since 2006 Copyright \u00a9 2006-2010 HS32-Idir.", + "value": "Win32.HsIdir", + "uuid": "569d539f-f949-4156-8896-108ea8352fbc" + }, + { + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Optix_Pro", + "https://www.symantec.com/security_response/writeup.jsp?docid=2002-090416-0521-99", + "https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20208" + ], + "date": "2002" + }, + "description": "Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K", + "value": "Optix Pro", + "uuid": "4ce3247b-203a-42a8-aaa0-05558c50894e" + }, + { + "meta": { + "synonyms": [ + "BO2k" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Back_Orifice_2000", + "https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=10229", + "https://www.symantec.com/security_response/writeup.jsp?docid=2000-121814-5417-99", + "https://www.f-secure.com/v-descs/bo2k.shtml" + ], + "date": "1998" + }, + "description": "Back Orifice 2000 (often shortened to BO2k) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software. Back Orifice 2000 is a new version of the famous Back Orifice backdoor trojan (hacker's remote access tool). It was created by the Cult of Dead Cow hackers group in July 1999. Originally the BO2K was released as a source code and utilities package on a CD-ROM. There are reports that some files on that CD-ROM were infected with CIH virus, so the people who got that CD might get infected and spread not only the compiled backdoor, but also the CIH virus. ", + "value": "Back Orifice 2000", + "uuid": "91f8a1d8-c816-45e1-8c26-17a7305ca375" + }, + { + "meta": { + "synonyms": [ + "VNC Connect", + "VNC Viewer" + ], + "refs": [ + "https://www.realvnc.com/" + ] + }, + "description": "The software consists of a server and client application for the Virtual Network Computing (VNC) protocol to control another ", + "value": "RealVNC", + "uuid": "e1290288-84d4-4b32-858d-db4ed612de44" + }, + { + "meta": { + "synonyms": [ + "UNRECOM", + "UNiversal REmote COntrol Multi-Platform", + "Frutas", + "AlienSpy", + "Unrecom", + "Jsocket", + "JBifrost" + ], + "refs": [ + "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf", + "https://www.f-secure.com/v-descs/backdoor_java_adwind.shtml", + "https://blog.fortinet.com/2016/08/16/jbifrost-yet-another-incarnation-of-the-adwind-rat" + ], + "date": "2011" + }, + "description": "Backdoor:Java/Adwind is a Java archive (.JAR) file that drops a malicious component onto the machines and runs as a backdoor. When active, it is capable of stealing user information and may also be used to distribute other malware. ", + "value": "Adwind RAT", + "uuid": "b76d9845-815c-4e77-9538-6b737269da2f" + }, + { + "meta": { + "refs": [ + "https://www.virustotal.com/en/file/b31812e5b4c63c5b52c9b23e76a5ea9439465ab366a9291c6074bfae5c328e73/analysis/1359376345/" + ] + }, + "value": "Albertino Advanced RAT", + "uuid": "eff22ed3-81fc-4055-bd1d-76e1f191f487" + }, + { + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-112912-5237-99", + "http://blog.trendmicro.com/trendlabs-security-intelligence/tsunami-warning-leads-to-arcom-rat/" + ] + }, + "description": "The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00.", + "value": "Arcom", + "uuid": "cd167b01-dc63-4576-b4a1-5ee707aa392b" + }, + { + "meta": { + "refs": [ + "https://leakforums.net/thread-18123?tid=18123&&pq=1" + ] + }, + "description": "BlackNix rat is a rat coded in delphi. ", + "value": "BlackNix", + "uuid": "f3e79212-0e35-40d2-a1d6-37b629a8138e" + }, + { + "meta": { + "refs": [ + "https://leakforums.net/thread-123872", + "https://techanarchy.net/2014/02/blue-banana-rat-config/" + ], + "date": "2012" + }, + "description": "Blue Banana is a RAT (Remote Administration Tool) created purely in Java", + "value": "Blue Banana", + "uuid": "9b515229-36f6-4b93-9889-36116a12fd74" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" + ], + "date": "2013" + }, + "description": "Bozok, like many other popular RATs, is freely available. The author of the Bozok RAT goes by the moniker \u201cSlayer616\u201d and has created another RAT known as Schwarze Sonne, or \u201cSS-RAT\u201d for short. Both of these RATs are free and easy to find \u2014 various APT actors have used both in previous targeted attacks.", + "value": "Bozok", + "uuid": "41f45758-0376-42a8-bc07-8f2ffbee3ad2" + }, + { + "meta": { + "refs": [ + "https://sinister.ly/Thread-ClientMesh-RAT-In-Built-FUD-Crypter-Stable-DDoSer-No-PortForwading-40-Lifetime", + "https://blog.yakuza112.org/2012/clientmesh-rat-v5-cracked-clean/" + ] + }, + "description": "ClientMesh is a Remote Administration Application yhich allows a user to control a number of client PCs from around the world.", + "value": "ClientMesh", + "uuid": "03eb6742-9a17-4aed-95e4-d8a0b0abefc3" + }, + { + "meta": { + "refs": [ + "http://www.hackersthirst.com/2011/03/cybergate-rat-hacking-facebook-twitter.html", + "http://www.nbcnews.com/id/41584097/ns/technology_and_science-security/t/cybergate-leaked-e-mails-hint-corporate-hacking-conspiracy/" + ], + "date": "2011" + }, + "description": "CyberGate is a powerful, fully configurable and stable Remote Administration Tool coded in Delphi that is continuously getting developed. Using cybergate you can log the victim's passwords and can also get the screen shots of his computer's screen.", + "value": "CyberGate", + "uuid": "c3cf4e88-704b-4d7c-8185-ee780804f3d3" + }, + { + "meta": { + "refs": [ + "http://meinblogzumtesten.blogspot.lu/2013/05/dark-ddoser-v56c-cracked.html" + ] + }, + "value": "Dark DDoSeR", + "uuid": "3c026104-6129-4749-9b41-07c28d9e84c4" + }, + { + "meta": { + "synonyms": [ + "DarkRAT" + ], + "refs": [ + "https://www.infosecurity-magazine.com/blogs/the-dark-rat/", + "http://darkratphp.blogspot.lu/" + ], + "date": "2005" + }, + "description": "In March 2017, Fujitsu Cyber Threat Intelligence uncovered a newly developed remote access tool referred to by its developer as \u2018Dark RAT\u2019 \u2013 a tool used to steal sensitive information from victims. Offered as a Fully Undetectable build (FUD) the RAT has a tiered price model including 24/7 support and an Android version. Android malware has seen a significant rise in interest and in 2015 this resulted in the arrests of a number of suspects involved in the infamous DroidJack malware.", + "value": "DarkRat", + "uuid": "7135cc9c-a7bf-44fc-b74b-80de9edd9438" + }, + { + "meta": { + "refs": [ + "https://sites.google.com/site/greymecompany/greame-rat-project" + ] + }, + "value": "Greame", + "uuid": "e880a029-bb01-4a64-baa3-b13fc2af4e9d" + }, + { + "meta": { + "refs": [ + "http://securityaffairs.co/wordpress/54837/hacking/one-stop-shop-hacking.html" + ], + "date": "2003" + }, + "description": "HawkEye is a popular RAT that can be used as a keylogger, it is also able to identify login events and record the destination, username, and password.", + "value": "HawkEye", + "uuid": "8414f79c-a879-44b6-b154-4992aa12dff1" + }, + { + "meta": { + "refs": [ + "https://www.rekings.com/shop/jrat/" + ], + "synonyms": [ + "JacksBot" + ], + "date": "2012" + }, + "description": "jRAT is the cross-platform remote administrator tool that is coded in Java, Because its coded in Java it gives jRAT possibilities to run on all operation systems, Which includes Windows, Mac OSX and Linux distributions.", + "value": "jRAT", + "uuid": "1df62d96-88f8-473c-94a2-252eb360ba62" + }, + { + "meta": { + "refs": [ + "https://leakforums.net/thread-479505" + ], + "date": "2013" + }, + "description": "jSpy is a Java RAT. ", + "value": "jSpy", + "uuid": "669a0e4d-9760-49fc-bdf5-0471f84e0c76" + }, + { + "meta": { + "refs": [ + "https://leakforums.net/thread-284656" + ] + }, + "description": "Just saying that this is a very badly coded RAT by the biggest skid in this world, that is XilluX. The connection is very unstable, the GUI is always flickering because of the bad Multi-Threading and many more bugs.", + "value": "LuxNET", + "uuid": "aad1038d-4d50-4a3e-88f3-cd9d154dc45c" + }, + { + "meta": { + "refs": [ + "https://www.cyber.nj.gov/threat-profiles/trojan-variants/njrat" + ], + "synonyms": [ + "Njw0rm" + ], + "date": "2012" + }, + "description": "NJRat is a remote access trojan (RAT), first spotted in June 2013 with samples dating back to November 2012. It was developed and is supported by Arabic speakers and mainly used by cybercrime groups against targets in the Middle East. In addition to targeting some governments in the region, the trojan is used to control botnets and conduct other typical cybercrime activity. It infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams.", + "value": "NJRat", + "uuid": "7fb493bb-756b-42a2-8f6d-59e254f4f2cc" + }, + { + "meta": { + "refs": [ + "https://www.rekings.com/pandora-rat-2-2/" + ], + "date": "2002" + }, + "description": "Remote administrator tool that has been developed for Windows operation system. With advanced features and stable structure, Pandora\u2019s structure is based on advanced client / server architecture. was configured using modern technology.", + "value": "Pandora", + "uuid": "59485642-d233-4167-9f51-bd1d74285c23" + }, + { + "meta": { + "synonyms": [ + "PredatorPain" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/predator-pain-and-limitless-behind-the-fraud/", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-predator-pain-and-limitless.pdf" + ] + }, + "description": "Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn\u2019t scale well when there are a lot of infected machines and logs involved.", + "value": "Predator Pain", + "uuid": "42a97a5d-ee33-492a-b20f-758ecdbf1aed" + }, + { + "meta": { + "refs": [ + "http://punisher-rat.blogspot.lu/" + ], + "date": "2007" + }, + "description": "Remote administration tool", + "value": "Punisher RAT", + "uuid": "e49af83c-fd2f-4540-92dc-97c7b84a9458" + }, + { + "meta": { + "refs": [ + "https://www.rekings.com/spygate-rat-3-2/", + "https://www.symantec.com/security_response/attacksignatures/detail.jsp%3Fasid%3D27950", + "http://spygate-rat.blogspot.lu/" + ] + }, + "description": "This is tool that allow you to control your computer form anywhere in world with full support to unicode language. ", + "value": "SpyGate", + "uuid": "1c3df89a-1f30-4ccb-acb4-5dee4b470b55" + }, + { + "meta": { + "synonyms": [ + "SmallNet" + ], + "refs": [ + "http://small-net-rat.blogspot.lu/" + ] + }, + "description": "RAT", + "value": "Small-Net", + "uuid": "1dd0c7f8-a6fb-4912-9de9-deb43f384fdb" + }, + { + "meta": { + "refs": [ + "https://www.rekings.com/vantom-rat/" + ] + }, + "description": "Vantom is a free RAT with good option and very stable.", + "value": "Vantom", + "uuid": "6e5a1fcb-f730-4d8d-890a-ef133782a7d2" + }, + { + "meta": { + "refs": [ + "https://leakforums.net/thread-497480" + ] + }, + "description": "Xena RAT is a fully-functional, stable, state-of-the-art RAT, coded in a native language called Delphi, it has almost no dependencies.", + "value": "Xena", + "uuid": "b9d5ab11-dd6f-49ba-8117-ce16f71ff11c" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html" + ], + "date": "2010" + }, + "description": "This malware has been used in targeted attacks as well as traditional cybercrime. During our investigation we found that the majority of XtremeRAT activity is associated with spam campaigns that typically distribute Zeus variants and other banking-focused malware. ", + "value": "XtremeRAT", + "uuid": "3b6b55fb-595c-40c5-bbc5-dbe244b15026" + }, + { + "meta": { + "refs": [ + "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data" + ], + "date": "2012" + }, + "description": "NetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers.", + "value": "Netwire", + "uuid": "e3113a0e-a65b-4119-8bc2-1c8d9d18c2db" + }, + { + "meta": { + "refs": [ + "https://www.volexity.com/blog/2017/03/23/have-you-been-haunted-by-the-gh0st-rat-today/" + ], + "date": "2001" + }, + "description": "Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program. .", + "value": "Gh0st RAT", + "uuid": "255a59a7-db2d-44fc-9ca9-5859b65817c3" + }, + { + "meta": { + "refs": [ + "http://www.zunzutech.com/blog/security/analysis-of-plasma-rats-source-code/" + ] + }, + "description": "Plasma RAT\u2019s stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version.", + "value": "Plasma RAT", + "uuid": "af534ddb-d0c6-47c0-82be-058c8bd5c6e1" + }, + { + "meta": { + "refs": [ + "https://www.rekings.com/babylon-rat/" + ] + }, + "description": "Babylon is a highly advanced remote administration tool with no dependencies. The server is developed in C++ which is an ideal language for high performance and the client is developed in C#(.Net Framework 4.5)", + "value": "Babylon", + "uuid": "ad1c9a50-3cd2-446a-ab31-9ecb62980d61" + }, + { + "meta": { + "refs": [ + "http://www.imminentmethods.info/" + ] + }, + "description": "RAT", + "value": "Imminent Monitor", + "uuid": "f52a5252-ef53-4935-81c8-96fffcd1b952" + }, + { + "meta": { + "refs": [ + "http://droidjack.net/" + ] + }, + "description": "DroidJack is a RAT (Remote Access Trojan/Remote Administration Tool) nature of remote accessing, monitoring and managing tool (Java based) for Android mobile OS. You can use it to perform a complete remote control to any Android devices infected with DroidJack through your PC. It comes with powerful function and user-friendly operation \u2013 even allows attackers to fully take over the mobile phone and steal, record the victim\u2019s private data wilfully.", + "value": "DroidJack", + "uuid": "7f032293-bfa2-4595-803d-c84519190861" + }, + { + "meta": { + "refs": [ + "https://github.com/quasar/QuasarRAT" + ], + "date": "2014" + }, + "description": "Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface", + "value": "Quasar RAT", + "uuid": "6efa425c-3731-44fd-9224-2a62df061a2d" + }, + { + "meta": { + "refs": [ + "https://github.com/qqshow/dendroid", + "https://github.com/nyx0/Dendroid" + ], + "date": "2014" + }, + "description": "Dendroid is malware that affects Android OS and targets the mobile platform. It was first discovered in early of 2014 by Symantec and appeared in the underground for sale for $300. Some things were noted in Dendroid, such as being able to hide from emulators at the time. When first discovered in 2014 it was one of the most sophisticated Android remote administration tools known at that time. It was one of the first Trojan applications to get past Google's Bouncer and caused researchers to warn about it being easier to create Android malware due to it. It also seems to have follow in the footsteps of Zeus and SpyEye by having simple-to-use command and control panels. The code appeared to be leaked somewhere around 2014. It was noted that an apk binder was included in the leak, which provided a simple way to bind Dendroid to legitimate applications.", + "value": "Dendroid", + "uuid": "ea3a8c25-4adb-4538-bf11-55259bdba15f" + }, + { + "meta": { + "refs": [ + "https://github.com/shotskeber/Ratty" + ], + "date": "2016" + }, + "description": "A Java R.A.T. program", + "value": "Ratty", + "uuid": "a51f07ae-ab2c-45ee-aa9c-1db7873e7bb4" + }, + { + "meta": { + "refs": [ + "http://level23hacktools.com/forum/showthread.php?t=27971", + "https://leakforums.net/thread-405562?tid=405562&&pq=1" + ] + }, + "description": "Java RAT", + "value": "RaTRon", + "uuid": "48b6886b-67a9-4815-92a2-1b7aca24d4ac" + }, + { + "meta": { + "refs": [ + "http://arabian-attacker.software.informer.com/" + ], + "date": "2006" + }, + "value": "Arabian-Attacker RAT", + "uuid": "f966a936-19f9-4b6b-95b3-0ff102e26303" + }, + { + "meta": { + "refs": [ + "https://latesthackingnews.com/2015/05/31/how-to-hack-android-phones-with-androrat/", + "https://github.com/wszf/androrat" + ] + }, + "description": "Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server.", + "value": "Androrat", + "uuid": "ce70bf96-0629-4c7d-8ed8-2315fab0ed42" + }, + { + "meta": { + "refs": [ + "http://adzok.com/" + ] + }, + "description": "Remote Administrator", + "value": "Adzok", + "uuid": "3560c833-3d28-4888-b0b8-1951ecac57a2" + }, + { + "meta": { + "synonyms": [ + "SS-RAT", + "Schwarze Sonne" + ], + "refs": [ + "https://github.com/mwsrc/Schwarze-Sonne-RAT" + ], + "date": "2010" + }, + "value": "Schwarze-Sonne-RAT", + "uuid": "99860df7-565d-47e4-a086-c4af1623b626" + }, + { + "meta": { + "refs": [ + "https://www.indetectables.net/viewtopic.php?t=24245" + ] + }, + "value": "Cyber Eye RAT", + "uuid": "729f1b02-ce0c-41a4-8d4e-c7c1f5475c4b" + }, + { + "value": "Batch NET", + "uuid": "9501172b-a81a-49bb-90ce-31f2fb78a130" + }, + { + "meta": { + "refs": [ + "https://leakforums.net/thread-530663" + ] + }, + "value": "RWX RAT", + "uuid": "62c5b489-8750-4fab-aca3-b233af789831" + }, + { + "meta": { + "refs": [ + "http://spynet-rat-officiel.blogspot.lu/" + ], + "date": "2010" + }, + "description": "Spy-Net is a software that allow you to control any computer in world using Windows Operating System.He is back using new functions and good options to give you full control of your remote computer.Stable and fast, this software offer to you a good interface, creating a easy way to use all his functions", + "value": "Spynet", + "uuid": "66bfd62e-6626-4104-af37-a44244204ac8" + }, + { + "meta": { + "refs": [ + "https://leakforums.net/thread-559871" + ] + }, + "value": "CTOS", + "uuid": "b9d7d5b8-7cf4-4650-a88a-5f4e991c45d6" + }, + { + "meta": { + "refs": [ + "https://github.com/mwsrc/Virus-RAT-v8.0-Beta" + ] + }, + "value": "Virus RAT", + "uuid": "9107fc0d-6705-4fc2-b621-e5ac42afef90" + }, + { + "meta": { + "refs": [ + "http://www.atelierweb.com/products/" + ] + }, + "value": "Atelier Web Remote Commander", + "uuid": "c51188d6-d489-4a18-a9a8-e38365f0bc10" + }, + { + "meta": { + "refs": [ + "https://github.com/chrismattmann/drat" + ] + }, + "description": "A distributed, parallelized (Map Reduce) wrapper around Apache\u2122 RAT to allow it to complete on large code repositories of multiple file types where Apache\u2122 RAT hangs forev", + "value": "drat", + "uuid": "5ee39172-7ba3-477c-9772-88841b4be691" + }, + { + "meta": { + "refs": [ + "https://www.f-secure.com/v-descs/mosuck.shtml" + ] + }, + "description": "MoSucker is a powerful backdoor - hacker's remote access tool.", + "value": "MoSucker", + "uuid": "611ed43b-b869-4419-a487-6f7393125eb3" + }, + { + "meta": { + "refs": [ + "http://www.grayhatforum.org/thread-4373-post-5213.html#pid5213", + "http://www.spy-emergency.com/research/T/Theef_Download_Creator.html", + "http://www.spy-emergency.com/research/T/Theef.html" + ], + "date": "2002" + }, + "value": "Theef", + "uuid": "f5154f40-46c1-4a0d-9814-cb5e5adf201b" + }, + { + "meta": { + "refs": [ + "http://prorat.software.informer.com/", + "http://malware.wikia.com/wiki/ProRat" + ], + "date": "2002" + }, + "description": "ProRat is a Microsoft Windows based backdoor trojan, more commonly known as a Remote Administration Tool. As with other trojan horses it uses a client and server. ProRat opens a port on the computer which allows the client to perform numerous operations on the server (the machine being controlled). ", + "value": "ProRat", + "uuid": "cae67963-63d2-4c8b-8358-a03556f20b7b" + }, + { + "meta": { + "refs": [ + "https://sites.google.com/site/greymecompany/setro-rat-project" + ] + }, + "value": "Setro", + "uuid": "6b1b2415-b42f-41c4-8c35-077844a9c4dc" + }, + { + "meta": { + "refs": [ + "http://www.connect-trojan.net/2015/03/indetectables-rat-v.0.5-beta.html" + ] + }, + "value": "Indetectables RAT", + "uuid": "36912ecf-9411-44fa-b14d-ec3b6896b0e2" + }, + { + "meta": { + "refs": [ + "https://luminosity.link/" + ] + }, + "value": "Luminosity Link", + "uuid": "0f2c6cd4-675a-4c41-acf5-1b0bc3625375" + }, + { + "meta": { + "refs": [ + "https://orcustechnologies.com/" + ], + "date": "2015" + }, + "value": "Orcus", + "uuid": "30a1a10e-4155-43a6-854a-3b43bc2a3f9c" + }, + { + "meta": { + "refs": [ + "http://www.connect-trojan.net/2014/10/blizzard-rat-lite-v1.3.1.html" + ] + }, + "value": "Blizzard", + "uuid": "a7e4c2ff-6747-48e4-99c4-5c638c167fc0" + }, + { + "meta": { + "refs": [ + "https://www.rekings.com/kazybot-lite-php-rat/", + "http://telussecuritylabs.com/threats/show/TSL20150122-06" + ] + }, + "value": "Kazybot", + "uuid": "6c553273-f3f8-4e66-b764-9a9ae83a2f35" + }, + { + "meta": { + "refs": [ + "http://www.connect-trojan.net/2015/01/bx-rat-v1.0.html" + ], + "date": "2014" + }, + "value": "BX", + "uuid": "f6cc85de-81da-4276-a87c-45e3a00b67b5" + }, + { + "value": "death", + "uuid": "b7095617-3320-4118-9f28-7d4356e2571a" + }, + { + "meta": { + "refs": [ + "https://rubear.me/threads/sky-wyder-2016-cracked.127/" + ] + }, + "value": "Sky Wyder", + "uuid": "866f97d7-faa9-49e2-b704-7406c1ee2565" + }, + { + "meta": { + "refs": [ + "https://www.rekings.com/darktrack-4-alien/", + "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml" + ], + "date": "2017" + }, + "value": "DarkTrack", + "uuid": "f60dc9e3-2053-446c-89a0-ad69906de6e4" + }, + { + "meta": { + "refs": [ + "https://github.com/c4bbage/xRAT" + ], + "date": "2017" + }, + "description": "Free, Open-Source Remote Administration Tool. xRAT 2.0 is a fast and light-weight Remote Administration Tool coded in C# (using .NET Framework 2.0).", + "value": "xRAT", + "uuid": "509aff15-ba17-4582-b1a0-b0ed89df01d8" + }, + { + "meta": { + "refs": [ + "http://sakhackingarticles.blogspot.lu/2014/08/biodox-rat.html" + ] + }, + "value": "Biodox", + "uuid": "43e91752-23f5-41c6-baa3-74d6fc0f2cad" + }, + { + "meta": { + "refs": [ + "https://leakforums.net/thread-31386?tid=31386&&pq=1" + ] + }, + "description": "Offense RAT is a free renote administration tool made in Delphi 9.", + "value": "Offence", + "uuid": "a9caa398-ba8b-4a64-8970-67761c7efc76" + }, + { + "meta": { + "refs": [ + "https://leakforums.net/thread-36962" + ], + "date": "2009" + }, + "value": "Apocalypse", + "uuid": "d5d3f9de-21b5-482e-b716-5f2f13182990" + }, + { + "meta": { + "refs": [ + "https://leakforums.net/thread-363920" + ], + "date": "2013" + }, + "value": "JCage", + "uuid": "0d756293-6cbc-4973-8df8-7d6ab0cd51e0" + }, + { + "meta": { + "refs": [ + "http://malware.wikia.com/wiki/Nuclear_RAT", + "http://www.nuclearwintercrew.com/Products-View/21/Nuclear_RAT_2.1.0/" + ] + }, + "description": "Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003).", + "value": "Nuclear RAT", + "uuid": "1b0f4481-f205-493a-a167-59669a64b6fc" + }, + { + "meta": { + "refs": [ + "http://ozonercp.com/" + ] + }, + "description": "C++ REMOTE CONTROL PROGRAM", + "value": "Ozone", + "uuid": "1a4d6958-45fe-41ca-b545-bdf28fba14fa" + }, + { + "meta": { + "refs": [ + "https://github.com/alienwithin/xanity-php-rat" + ] + }, + "value": "Xanity", + "uuid": "66c3e21d-1cb9-43b4-bd1b-2d9ac839a628" + }, + { + "meta": { + "synonyms": [ + "Dark Moon" + ] + }, + "value": "DarkMoon", + "uuid": "18a4e501-c6e3-45e9-beee-25421b0c7bcb" + }, + { + "meta": { + "refs": [ + "http://broad-product.biz/forum/r-a-t-(remote-administration-tools)/xpert-rat-3-0-10-by-abronsius(vb6)/", + "https://www.nulled.to/topic/18355-xpert-rat-309/", + "https://trickytamilan.blogspot.lu/2016/03/xpert-rat.html" + ] + }, + "value": "Xpert", + "uuid": "bdb25a20-4c6c-4fdb-ac05-5f81fb6c15a7" + }, + { + "meta": { + "refs": [ + "https://www.alienvault.com/blogs/labs-research/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off" + ], + "synonyms": [ + "Njw0rm" + ] + }, + "description": "This remote access trojan (RAT) has capabilities ranging from manipulating the registry to opening a reverse shell. From stealing credentials stored in browsers to accessing the victims webcam. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread utilizing physic devices, such as USB drives, but also to use the victim as a pivot point to gain more access laterally throughout the network. This remote access trojan could be classified as a variant of the well known njrat, as they share many similar features such as their display style, several abilities and a general template for communication methods . However, where njrat left off KilerRat has taken over. KilerRat is a very feature rich RAT with an active development force that is rapidly gaining in popularity amongst the middle eastern community and the world.", + "value": "Kiler RAT", + "uuid": "c01ef312-dfd6-403f-a8b5-67fc11a550a7" + }, + { + "value": "Brat", + "uuid": "7109e2b0-8c05-4d2b-a37f-c00d799f0c02" + }, + { + "value": "MINI-MO", + "uuid": "32ea7a67-9649-4bd3-b194-f37f04c208ba" + }, + { + "meta": { + "refs": [ + "http://lost-door.blogspot.lu/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/", + "https://www.cyber.nj.gov/threat-profiles/trojan-variants/lost-door-rat" + ], + "synonyms": [ + "LostDoor" + ], + "date": "2010" + }, + "description": "Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. It\u2019s promoted on social media sites like YouTube and Facebook. Its maker, \u201cOussamiO,\u201d even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.", + "value": "Lost Door", + "uuid": "8007f2be-ba4f-445e-8a15-6c2bfe769c49" + }, + { + "meta": { + "refs": [ + "https://www.rekings.com/loki-rat-php-rat/" + ] + }, + "description": "Loki RAT is a php RAT that means no port forwarding is needed for this RAT, If you dont know how to setup this RAT click on tutorial.", + "value": "Loki RAT", + "uuid": "70e6875b-34b5-4f97-8403-210defbc040d" + }, + { + "meta": { + "refs": [ + "https://github.com/BahNahNah/MLRat" + ] + }, + "value": "MLRat", + "uuid": "83929545-ef07-469c-ab55-c59155a66cc6" + }, + { + "meta": { + "refs": [ + "http://perfect-conexao.blogspot.lu/2014/09/spycronic-1021.html", + "http://www.connect-trojan.net/2013/09/spycronic-v1.02.1.html", + "https://ranger-exploit.com/spycronic-v1-02-1/" + ] + }, + "value": "SpyCronic", + "uuid": "71289654-0217-44d7-8762-b609b3eace80" + }, + { + "meta": { + "refs": [ + "https://github.com/n1nj4sec/pupy" + ], + "date": "2015" + }, + "description": "Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python ", + "value": "Pupy", + "uuid": "bdb420be-5882-41c8-b439-02bbef69d83f" + }, + { + "meta": { + "refs": [ + "http://novarat.sourceforge.net/" + ], + "date": "2002" + }, + "description": "Nova is a proof of concept demonstrating screen sharing over UDP hole punching.", + "value": "Nova", + "uuid": "eea78fd1-11ae-432a-9422-d5e774eb8ff2" + }, + { + "meta": { + "refs": [ + "https://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=9401&signatureSubId=2", + "https://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=9401&signatureSubId=0&softwareVersion=6.0&releaseVersion=S177", + "https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20292", + "https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20264" + ], + "synonyms": [ + "Back Door Y3K RAT", + "Y3k" + ], + "date": "1998" + }, + "value": "BD Y3K RAT", + "uuid": "62f8b6aa-f3df-4789-9348-b16db59f345e" + }, + { + "meta": { + "refs": [ + "http://turkojan.blogspot.lu/" + ], + "date": "2003" + }, + "description": "Turkojan is a remote administration and spying tool for Microsoft Windows operating systems.", + "value": "Turkojan", + "uuid": "29f7cf0f-b422-4966-9298-c8b4cb54deac" + }, + { + "meta": { + "refs": [ + "http://josh.com/tiny/" + ] + }, + "description": "TINY is a set of programs that lets you control a DOS computer from any Java-capable machine over a TCP/IP connection. It is comparable to programs like VNC, CarbonCopy, and GotoMyPC except that the host machine is a DOS computer rather than a Windows one.", + "value": "TINY", + "uuid": "c9fd50a0-35c8-4dfd-baeb-8043182e864c" + }, + { + "meta": { + "refs": [ + "https://www.security-database.com/toolswatch/SharK-3-Remote-Administration-Tool.html", + "http://lpc1.clpccd.cc.ca.us/lpc/mdaoud/CNT7501/NETLABS/Ethical_Hacking_Lab_05.pdf" + ], + "synonyms": [ + "SHARK", + "Shark" + ], + "date": "2008" + }, + "description": "sharK is an advanced reverse connecting, firewall bypassing remote administration tool written in VB6. With sharK you will be able to administrate every PC (using Windows OS) remotely.", + "value": "SharK", + "uuid": "ff471870-7c9a-4122-ba89-489fc819660b" + }, + { + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2003-022018-5040-99" + ], + "synonyms": [ + "Backdoor.Blizzard", + "Backdoor.Fxdoor", + "Backdoor.Snowdoor", + "Backdoor:Win32/Snowdoor" + ] + }, + "description": "Backdoor.Snowdoor is a Backdoor Trojan Horse that allows unauthorized access to an infected computer. It creates an open C drive share with its default settings. By default, the Trojan listens on port 5,328.", + "value": "Snowdoor", + "uuid": "ed4590cd-d636-46bc-a92d-d90b9548db51" + }, + { + "meta": { + "refs": [ + "https://www.nulled.to/topic/155464-paradox-rat/" + ] + }, + "value": "Paradox", + "uuid": "5d4123f6-c344-45ee-83e9-c5656d38e604" + }, + { + "meta": { + "refs": [ + "https://www.rekings.com/spynote-v4-android-rat/" + ] + }, + "description": "Android RAT", + "value": "SpyNote", + "uuid": "ea727e26-b3de-44f8-86c5-11a912c7a8aa" + }, + { + "value": "ZOMBIE SLAYER", + "uuid": "b7b6db54-db6a-463c-a2a2-3a0da1f7fe32" + }, + { + "value": "HTTP WEB BACKDOOR", + "uuid": "69b002ee-1be8-44e2-9295-8299b97a5773" + }, + { + "meta": { + "refs": [ + "https://networklookout.com/help/" + ] + }, + "description": "Net Monitor for Employees lets you see what everyone's doing - without leaving your desk. Monitor the activity of all employees. Plus you can share your screen with your employees PCs, making demos and presentations much easier.", + "value": "NET-MONITOR PRO", + "uuid": "376671ff-2131-4150-b1f4-7870f6adf8ae" + }, + { + "meta": { + "refs": [ + "http://www.dameware.com/dameware-mini-remote-control" + ], + "synonyms": [ + "dameware" + ] + }, + "description": "Affordable remote control software for all your customer support and help desk needs.", + "value": "DameWare Mini Remote Control", + "uuid": "ba157c90-8f94-45f2-8395-001e76eee506" + }, + { + "meta": { + "refs": [ + "https://www.remoteutilities.com/" + ] + }, + "description": "Remote Utilities is a free remote access program with some really great features. It works by pairing two remote computers together with what they call an \"Internet ID.\" You can control a total of 10 PCs with Remote Utilities.", + "value": "Remote Utilities", + "uuid": "903846e2-5fa7-42c9-98bf-00d05473c9e3" + }, + { + "meta": { + "refs": [ + "http://ammyy-admin.soft32.com/" + ], + "synonyms": [ + "Ammyy" + ], + "date": "2011" + }, + "description": "Ammyy Admin is a completely portable remote access program that's extremely simple to setup. It works by connecting one computer to another via an ID supplied by the program.", + "value": "Ammyy Admin", + "uuid": "9025f09b-a3fe-4711-89b8-bee6037681f8" + }, + { + "meta": { + "refs": [ + "http://www.uvnc.com/" + ] + }, + "description": "UltraVNC works a bit like Remote Utilities, where a server and viewer is installed on two PCs, and the viewer is used to control the server.", + "value": "Ultra VNC", + "uuid": "12f03025-467b-49b3-ba7b-2a152e38eae5" + }, + { + "meta": { + "refs": [ + "http://www.aeroadmin.com/en/" + ] + }, + "description": "AeroAdmin is probably the easiest program to use for free remote access. There are hardly any settings, and everything is quick and to the point, which is perfect for spontaneous support.", + "value": "AeroAdmin", + "uuid": "6dd8f7ac-a90b-4155-843d-b95f1f4e0e81" + }, + { + "description": "Windows Remote Desktop is the remote access software built into the Windows operating system. No additional download is necessary to use the program.", + "value": "Windows Remote Desktop", + "uuid": "07c792c4-2f78-4eba-a6a3-3ba28e098886" + }, + { + "meta": { + "refs": [ + "https://www.remotepc.com/" + ] + }, + "description": "RemotePC, for good or bad, is a more simple free remote desktop program. You're only allowed one connection (unless you upgrade) but for many of you, that'll be just fine.", + "value": "RemotePC", + "uuid": "e4ae4f4e-a751-4633-a54e-c747508ff3b8" + }, + { + "meta": { + "refs": [ + "http://seecreen.com/" + ], + "synonyms": [ + "Firnass" + ] + }, + "description": "Seecreen (previously called Firnass) is an extremely tiny (500 KB), yet powerful free remote access program that's absolutely perfect for on-demand, instant support.", + "value": "Seecreen", + "uuid": "b9df1fb3-17b7-430b-8c23-f1d321c1265c" + }, + { + "meta": { + "refs": [ + "https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp?hl=en" + ] + }, + "description": "Chrome Remote Desktop is an extension for the Google Chrome web browser that lets you setup a computer for remote access from any other Chrome browser.", + "value": "Chrome Remote Desktop", + "uuid": "6583d982-a5cb-47e0-a3b0-bc18cadaeb53" + }, + { + "meta": { + "refs": [ + "https://anydesk.com/remote-desktop" + ] + }, + "description": "AnyDesk is a remote desktop program that you can run portably or install like a regular program.", + "value": "AnyDesk", + "uuid": "7d71d21e-68f0-4595-beee-7c353471463d" + }, + { + "meta": { + "refs": [ + "http://www.litemanager.com/" + ] + }, + "description": "LiteManager is another remote access program, and it's strikingly similar to Remote Utilities, which I explain on the first page of this list. However, unlike Remote Utilities, which can control a total of only 10 PCs, LiteManager supports up to 30 slots for storing and connecting to remote computers, and also has lots of useful features.", + "value": "LiteManager", + "uuid": "0c8a877b-6c9c-43a7-9688-d90a098d8710" + }, + { + "meta": { + "refs": [ + "https://www.comodo.com/home/download/download.php?prod=comodounite" + ] + }, + "description": "Comodo Unite is another free remote access program that creates a secure VPN between multiple computers. Once a VPN is established, you can remotely have access to applications and files through the client software.", + "value": "Comodo Unite", + "uuid": "9b990bc7-ff88-4658-90de-806711462c55" + }, + { + "meta": { + "refs": [ + "https://showmypc.com/" + ] + }, + "description": "ShowMyPC is a portable and free remote access program that's nearly identical to UltraVNC but uses a password to make a connection instead of an IP address.", + "value": "ShowMyPC", + "uuid": "185adc84-ad02-4559-aacc-50b2d690640c" + }, + { + "meta": { + "refs": [ + "https://www.join.me/" + ] + }, + "description": "join.me is a remote access program from the producers of LogMeIn that provides quick access to another computer over an internet browser.", + "value": "join.me", + "uuid": "204b457d-9729-460b-991b-943171c55fa7" + }, + { + "meta": { + "refs": [ + "http://www.nchsoftware.com/remotedesktop/index.html" + ] + }, + "description": "DesktopNow is a free remote access program from NCH Software. After optionally forwarding the proper port number in your router, and signing up for a free account, you can access your PC from anywhere through a web browser.", + "value": "DesktopNow", + "uuid": "82a2bcba-0f31-4a45-bddb-559db9819fad" + }, + { + "meta": { + "refs": [ + "http://www.beamyourscreen.com/" + ] + }, + "description": "Another free and portable remote access program is BeamYourScreen. This program works like some of the others in this list, where the presenter is given an ID number they must share with another user so they can connect to the presenter's screen.", + "value": "BeamYourScreen", + "uuid": "a31bf7d6-70a9-4f5f-a38e-88e173ad444c" + }, + { + "value": "Casa RAT", + "uuid": "ef164438-e4bd-4c56-a8e6-e5e64bc8dd5a" + }, + { + "meta": { + "refs": [ + "http://www.nuclearwintercrew.com/Products-View/57/Bandook_RAT_v1.35__NEW_/" + ], + "date": "2005" + }, + "description": "Bandook is a FWB#++ reverse connection rat (Remote Administration Tool), with a small size server when packed 30 KB, and a long list of amazing features", + "value": "Bandook RAT", + "uuid": "3482922d-b58c-482f-8363-f63f52fcdb43" + }, + { + "meta": { + "refs": [ + "http://www.hacktohell.org/2011/05/setting-up-cerberus-ratremote.html" + ], + "date": "2009" + }, + "value": "Cerberus RAT", + "uuid": "180145d0-f4e3-4ab3-b5bb-ce17f7fec0db" + }, + { + "value": "Syndrome RAT", + "meta": { + "date": "2010" + }, + "uuid": "db9bcc9a-27ec-4a58-a481-d978b4954ad7" + }, + { + "meta": { + "refs": [ + "http://www.spy-emergency.com/research/S/Snoopy.html" + ], + "date": "2002" + }, + "description": "Snoopy is a Remote Administration Tool. Software for controlling user computer remotely from other computer on local network or Internet.", + "value": "Snoopy", + "uuid": "fffbcd87-f028-4c4a-9e94-312e4e954450" + }, + { + "value": "5p00f3r.N$ RAT", + "meta": { + "date": "2010" + }, + "uuid": "f592c850-4867-4fa1-a303-151b953710d7" + }, + { + "meta": { + "synonyms": [ + "P.Storrie RAT" + ], + "date": "2011" + }, + "value": "P. Storrie RAT", + "uuid": "9287c2db-99e6-4d3b-bb32-3054e2e96e39" + }, + { + "value": "xHacker Pro RAT", + "meta": { + "date": "2007" + }, + "uuid": "832dad3c-6483-4d3c-ad02-8336dea90682" + }, + { + "meta": { + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2002-021310-3452-99" + ] + }, + "description": "Backdoor.NetDevil allows a hacker to remotely control an infected computer.", + "value": "NetDevil", + "uuid": "281563d8-14f8-43a8-a0cb-2f0198f7146c" + }, + { + "meta": { + "refs": [ + "https://www.digitrustgroup.com/nanocore-not-your-average-rat/" + ] + }, + "description": "In September of 2015, a DigiTrust client visited a web link that was providing an Adobe Flash Player update. The client, an international retail organization, attempted to download and run what appeared to be a regular update. The computer trying to download this update was a back office system that processed end of day credit card transactions. This system also had the capability of connecting to the corporate network which contained company sales reports.\nDigiTrust experts were alerted to something malicious and blocked the download. The investigation found that what appeared to be an Adobe Flash Player update, was a Remote Access Trojan called NanoCore. If installation had been successful, customer credit card data, personal information, and internal sales information could have been captured and monetized. During the analysis of NanoCore, our experts found that there was much more to this RAT than simply being another Remote Access Trojan.", + "value": "NanoCore", + "uuid": "6c3c111a-93af-428a-bee0-feacbee0237d" + }, + { + "description": "The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family", + "value": "Cobian RAT", + "meta": { + "refs": [ + "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" + ], + "date": "2017" + }, + "uuid": "8c49da10-2b59-42c4-81e6-75556decdecb" + }, + { + "description": "NetSupport Manager continues to deliver the very latest in remote access, PC support and desktop management capabilities. From a desktop, laptop, tablet or smartphone, monitor multiple systems in a single action, deliver hands-on remote support, collaborate and even record or play back sessions. When needed, gather real-time hardware and software inventory, monitor services and even view system config remotely to help resolve issues quickly.", + "value": "Netsupport Manager", + "meta": { + "refs": [ + "http://www.netsupportmanager.com/index.asp" + ], + "date": "1989" + }, + "uuid": "d6fe0674-f55b-46ea-bf87-78fa0fa6ac97" + }, + { + "value": "Vortex", + "meta": { + "date": "1998" + }, + "uuid": "2a47361d-584b-493f-80a4-37c74c30cf1b" + }, + { + "value": "Assassin", + "meta": { + "date": "2002" + }, + "uuid": "eac2e921-d71e-45fd-abff-4902968f910d" + }, + { + "value": "Net Devil", + "meta": { + "refs": [ + "https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20702" + ], + "date": "2002", + "synonyms": [ + "NetDevil" + ] + }, + "uuid": "2be434d3-03df-4236-9e7e-130c2efa8b33" + }, + { + "value": "A4Zeta", + "meta": { + "refs": [ + "http://www.megasecurity.org/trojans/a/a4zeta/A4zeta_b2.html" + ], + "date": "2002" + }, + "uuid": "9a0b6acf-e913-446a-a4cd-35eb9046febe" + }, + { + "value": "Greek Hackers RAT", + "meta": { + "refs": [ + "http://www.connect-trojan.net/2013/04/greek-hackers-rat-1.0.html?m=0" + ], + "date": "2002" + }, + "uuid": "77e7ad24-3412-4536-ae4c-1971317f4231" + }, + { + "value": "MRA RAT", + "meta": { + "refs": [ + "http://www.connect-trojan.net/2013/04/greek-hackers-rat-1.0.html?m=0" + ], + "date": "2002" + }, + "uuid": "de4974d1-1a1b-4a67-835b-172ebbdcfafd" + }, + { + "value": "Sparta RAT", + "meta": { + "refs": [ + "http://www.connect-trojan.net/2015/09/sparta-rat-1.2-by-azooz-ejram.html" + ], + "date": "2002" + }, + "uuid": "c1086221-a498-4ec9-ac33-85e4790136ae" + }, + { + "value": "LokiTech", + "meta": { + "date": "2003" + }, + "uuid": "ff97af70-011c-4d7c-9ae6-1e41ea5dfc12" + }, + { + "value": "MadRAT", + "meta": { + "date": "2002" + }, + "uuid": "5c65f5ec-c629-4d12-9078-08a4bb7522eb" + }, + { + "value": "Tequila Bandita", + "meta": { + "refs": [ + "http://www.connect-trojan.net/2013/07/tequila-bandita-1.3b2.html" + ], + "date": "2004" + }, + "uuid": "831879d3-5492-46b1-b174-491e6b413232" + }, + { + "value": "Toquito Bandito", + "meta": { + "refs": [ + "http://www.megasecurity.org/trojans/t/toquitobandito/Toquitobandito_all.html" + ], + "date": "2004" + }, + "uuid": "79861bda-8c72-4b90-876e-854b9daf32eb" + }, + { + "description": "MofoTro is a new rat coded by Cool_mofo_2.", + "value": "MofoTro", + "meta": { + "refs": [ + "http://www.megasecurity.org/trojans/m/mofotro/Mofotro_beta.html", + "http://www.megasecurity.org/trojans/m/mofotro/Mofotroresurrection.html", + "http://www.megasecurity.org/trojans/m/mofotro/Mofotro_beta1.5.html" + ], + "date": "2006" + }, + "uuid": "fa0a7929-3876-4866-9c01-a5d168379816" + }, + { + "description": "Written in Delphi", + "value": "Hav-RAT", + "meta": { + "refs": [ + "http://www.megasecurity.org/trojans/h/hav/Havrat1.2.html" + ], + "date": "2007" + }, + "uuid": "3a2176f2-138d-4939-958c-70992abddca3" + }, + { + "description": "ComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.", + "value": "ComRAT", + "meta": { + "refs": [ + "https://attack.mitre.org/wiki/Software/S0126" + ], + "date": "2007" + }, + "uuid": "9223bf17-7e32-4833-9574-9ffd8c929765" + }, + { + "description": "4H RAT is malware that has been used by Putter Panda since at least 2007.", + "value": "4H RAT", + "meta": { + "refs": [ + "https://attack.mitre.org/wiki/Software/S0065" + ], + "date": "2007" + }, + "uuid": "d8aad68d-a68f-42e1-b755-d5f383b73401" + }, + { + "description": "", + "value": "Darknet RAT", + "meta": { + "refs": [ + "http://www.connect-trojan.net/2015/06/dark-net-rat-v.0.3.9.0.html" + ], + "date": "2007", + "synonyms": [ + "Dark NET RAT" + ] + }, + "uuid": "ba285e93-d330-4efc-ad00-a84433575e2c" + }, + { + "value": "CIA RAT", + "meta": { + "date": "2008" + }, + "uuid": "b82d0ec7-3918-4252-9c8f-b4d17b14c596" + }, + { + "value": "Minimo", + "meta": { + "date": "2008" + }, + "uuid": "71a72669-4d7b-49a5-95a3-bbefbb2152bf" + }, + { + "value": "miniRAT", + "meta": { + "date": "2008" + }, + "uuid": "2b640955-05d4-46f7-9b34-c697f4e927e4" + }, + { + "value": "Pain RAT", + "meta": { + "date": "2008" + }, + "uuid": "17958627-0c27-4536-8839-5c91d51866bc" + }, + { + "description": "PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.", + "value": "PlugX", + "meta": { + "refs": [ + "https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX" + ], + "synonyms": [ + "Korplug" + ], + "date": "2005 or 2008" + }, + "uuid": "663f8ef9-4c50-499a-b765-f377d23c1070" + }, + { + "description": "The existence of the UNITEDRAKE RAT first came to light in 2014 as part of a series of classified documents leaked by former NSA contractor Edward Snowden.", + "value": "UNITEDRAKE", + "meta": { + "refs": [ + "http://thehackernews.com/2017/09/shadowbrokers-unitedrake-hacking.html", + "https://www.itnews.com.au/news/shadowbrokers-release-unitedrake-nsa-malware-472771" + ], + "date": "2008" + }, + "uuid": "41d4b98f-8ec2-4e8d-938c-42a776b422ee" + }, + { + "description": "Written in Visual Basic", + "value": "MegaTrojan", + "meta": { + "refs": [ + "http://www.megasecurity.org/trojans/m/mega/Megatrojan1.0.html" + ], + "date": "2008" + }, + "uuid": "4c053709-5349-4630-8462-dde28c8433eb" + }, + { + "value": "Venomous Ivy", + "meta": { + "date": "2009" + }, + "uuid": "9b5eb899-fc44-43f5-9a28-cdac4bc6a784" + }, + { + "value": "Xploit", + "meta": { + "date": "2010" + }, + "uuid": "286fc965-b019-49b1-937c-740b95a368bb" + }, + { + "value": "Arctic R.A.T.", + "meta": { + "refs": [ + "http://anti-virus-soft.com/threats/artic" + ], + "synonyms": [ + "Artic" + ], + "date": "2010" + }, + "uuid": "3ff21b18-8be5-45fd-9d42-d5ab9dddfa4c" + }, + { + "value": "GOlden Phoenix", + "meta": { + "refs": [ + "http://www.connect-trojan.net/2014/02/golden-phoenix-rat-0.2.html" + ], + "date": "2010" + }, + "uuid": "422ff7d4-0106-4e87-8eae-8cbd6c789540" + }, + { + "value": "GraphicBooting", + "meta": { + "refs": [ + "http://www.connect-trojan.net/2014/10/graphicbooting-rat-v0.1-beta.html?m=0" + ], + "date": "2010" + }, + "uuid": "06b18c56-0894-4bca-a373-21e1576ddd7c" + }, + { + "value": "Pocket RAT", + "meta": { + "date": "2010" + }, + "uuid": "76313bca-2551-4f0c-b427-e413cbb728b0" + }, + { + "value": "Erebus", + "meta": { + "date": "2010" + }, + "uuid": "ee73e375-3ac2-4ce0-b24b-74fd82d52864" + }, + { + "value": "SharpEye", + "meta": { + "refs": [ + "http://www.connect-trojan.net/2014/10/sharpeye-rat-1.0-beta-1.html", + "http://www.connect-trojan.net/2014/02/sharpeye-rat-1.0-beta-2.html" + ], + "date": "2010" + }, + "uuid": "c42394f8-5f35-4797-9393-8289ab8ad3ad" + }, + { + "value": "VorteX", + "meta": { + "date": "2010" + }, + "uuid": "58e2e2ee-5c25-4a13-abfc-2a6c85d978fa" + }, + { + "value": "Archelaus Beta", + "meta": { + "refs": [ + "http://www.connect-trojan.net/2014/02/archelaus-rat-beta.html" + ], + "date": "2010" + }, + "uuid": "ccd38085-f3bc-4fb0-ae24-99a45964dd8e" + }, + { + "description": "C# RAT (Remote Adminitration Tool) - Educational purposes only", + "value": "BlackHole", + "meta": { + "refs": [ + "https://github.com/hussein-aitlahcen/BlackHole" + ], + "date": "2011" + }, + "uuid": "2ea1f494-cf18-49fb-a043-36555131dd7c" + }, + { + "value": "Vanguard", + "meta": { + "refs": [ + "http://ktwox7.blogspot.lu/2010/12/vanguard-remote-administration.html" + ], + "date": "2010" + }, + "uuid": "9de3e8d7-c501-4926-a82f-6e147d66c06d" + }, + { + "value": "Ahtapod", + "meta": { + "refs": [ + "http://www.ibtimes.co.uk/turkish-journalist-baris-pehlivan-jailed-terrorism-was-framed-by-hackers-says-report-1577481" + ], + "date": "2011" + }, + "uuid": "dd2c3283-095d-4895-85cd-6a01e0616968" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html" + ], + "date": "2012" + }, + "description": "Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.", + "value": "FINSPY", + "uuid": "6ac125c8-6f00-490f-a43b-30b36d715431" + }, + { + "description": "Seed is a firewall bypass plus trojan, injects into default browser and has a simple purpose: to be compact (4kb server size) and useful while uploading bigger and full trojans, or even making Seed download them somewhere. Has computer info, process manager, file manager, with download, create folder, delete, execute and upload. And a remote download function. Everything with a easy to use interface, reminds an instant messenger.", + "value": "Seed RAT", + "meta": { + "refs": [ + "http://www.nuclearwintercrew.com/Products-View/25/Seed_1.1/" + ], + "date": "2004 or 2011" + }, + "uuid": "4c0ec00c-7fd4-4d8b-b1c9-6a12035fe992" + }, + { + "value": "SharpBot", + "meta": { + "date": "2011" + }, + "uuid": "126d167b-c47e-42a5-91fa-5af157f6df30" + }, + { + "value": "TorCT PHP RAT", + "meta": { + "refs": [ + "https://github.com/alienwithin/torCT-PHP-RAT" + ], + "date": "2012" + }, + "uuid": "14210ee4-e0bf-49f9-8d7a-13180dadda6b" + }, + { + "value": "A32s RAT", + "meta": { + "date": "2012" + }, + "uuid": "564dc473-e3a7-466b-afa0-591db218c05e" + }, + { + "value": "Char0n", + "meta": { + "date": "2012" + }, + "uuid": "6faf9e5a-517f-4f7c-b720-7b7d537f65ef" + }, + { + "value": "Nytro", + "meta": { + "date": "2012" + }, + "uuid": "25d23e76-72b1-4d47-9c80-9610a91e4945" + }, + { + "value": "Syla", + "meta": { + "refs": [ + "http://www.connect-trojan.net/2013/07/syla-rat-0.3.html" + ], + "date": "2012" + }, + "uuid": "bcbe2297-5ebf-48fe-936c-6f850f23383c" + }, + { + "description": "Cobalt Strike is software for Adversary Simulations and Red Team Operations.", + "value": "Cobalt Strike", + "meta": { + "refs": [ + "https://www.cobaltstrike.com/" + ], + "date": "2012" + }, + "uuid": "ca44dd5e-fd9e-48b5-99cb-0b2629b9265f" + }, + { + "description": "The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.", + "value": "Sakula", + "meta": { + "refs": [ + "https://www.secureworks.com/research/sakula-malware-family" + ], + "synonyms": [ + "Sakurel", + "VIPER" + ], + "date": "2012" + }, + "uuid": "3eca2d5f-41bf-4ad4-847f-df18befcdc44" + }, + { + "description": "hcdLoader is a remote access tool (RAT) that has been used by APT18.", + "value": "hcdLoader", + "meta": { + "refs": [ + "https://attack.mitre.org/wiki/Software/S0071" + ], + "date": "2012" + }, + "uuid": "12bb8f4f-af29-49a0-8c2c-d28468f28fd8" + }, + { + "value": "Crimson", + "meta": { + "refs": [ + "http://www.connect-trojan.net/2015/01/crimson-rat-3.0.0.html" + ], + "date": "2012" + }, + "uuid": "8d8efbc6-d1b7-4ec8-bab3-591edba337d0" + }, + { + "value": "KjW0rm", + "meta": { + "refs": [ + "http://hack-defender.blogspot.fr/2015/12/kjw0rm-v05x.html" + ], + "date": "2013" + }, + "uuid": "a7bffc6a-5b47-410b-b039-def16050adcb" + }, + { + "value": "Ghost", + "meta": { + "refs": [ + "https://www.youtube.com/watch?v=xXZW4ajVYkI" + ], + "synonyms": [ + "Ucul" + ], + "date": "2013" + }, + "uuid": "22f43398-47b2-4851-866a-b9ed0d355bf2" + }, + { + "value": "9002", + "meta": { + "date": "2013" + }, + "uuid": "21029a2d-85d7-40d0-9b87-8e8c414bf470" + }, + { + "value": "Sandro RAT", + "meta": { + "date": "2014" + }, + "uuid": "ad630149-e7d4-4ca0-9877-ef37743d00a3" + }, + { + "value": "Mega", + "meta": { + "date": "2014" + }, + "uuid": "d0d7dc33-1c12-4a5a-b421-79f4761bd1b1" + }, + { + "value": "WiRAT", + "meta": { + "date": "2014" + }, + "uuid": "af66d0c1-15c9-4a0b-b0cc-4208914707e6" + }, + { + "value": "3PARA RAT", + "meta": { + "refs": [ + "https://books.google.fr/books?isbn=2212290136" + ] + }, + "uuid": "59fb0222-0e7d-4f5f-92ac-e68012fb927d" + }, + { + "value": "BBS RAT", + "meta": { + "date": "2014" + }, + "uuid": "6e754ac7-0ffb-4510-9f70-4b74ab7bc868" + }, + { + "description": "KONNI is a remote access Trojan (RAT) that was first reported in May of 2017, but is believed to have been in use for over 3 years. As Part of our daily threat monitoring, FortiGuard Labs came across a new variant of the KONNI RAT and decided to take a deeper look.", + "value": "Konni", + "meta": { + "refs": [ + "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant", + "https://www.cylance.com/en_us/blog/threat-spotlight-konni-stealthy-remote-access-trojan.html", + "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", + "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html" + ], + "synonyms": [ + "KONNI" + ] + }, + "uuid": "5b930a23-7d88-481f-8791-abc7b3dd93d2" + }, + { + "value": "Felismus RAT", + "description": "Used by Sowbug", + "meta": { + "date": "2014", + "refs": [ + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" + ] + }, + "uuid": "1a35d040-1e0e-402b-8174-43e5c3c81922" + }, + { + "description": "Xsser mRAT is a piece of malware that targets iOS devices that have software limitations removed. The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server.", + "value": "Xsser", + "meta": { + "refs": [ + "https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html", + "http://malware.wikia.com/wiki/Xsser_mRAT" + ], + "synonyms": [ + "mRAT" + ], + "date": "2014" + }, + "uuid": "b1abae3d-e1a1-4c50-a3b0-9509c594a600" + }, + { + "description": "GovRAT is an old cyberespionage tool, it has been in the wild since 2014 and it was used by various threat actors across the years.", + "value": "GovRAT", + "meta": { + "refs": [ + "http://securityaffairs.co/wordpress/41714/cyber-crime/govrat-platform.html", + "http://securityaffairs.co/wordpress/51202/cyber-crime/govrat-2-0-attacks.html" + ], + "date": "2015" + }, + "uuid": "b6ddc2c6-5890-4c60-9b10-4274d1a9cc22" + }, + { + "value": "Rottie3", + "meta": { + "refs": [ + "https://www.youtube.com/watch?v=jUg5--68Iqs" + ], + "date": "2015" + }, + "uuid": "2e44066e-bb4f-41f9-86d3-495f83df5195" + }, + { + "value": "Killer RAT", + "meta": { + "date": "2015" + }, + "uuid": "983d5ac0-2e26-4793-8bab-fce33ae4e46d" + }, + { + "value": "Hi-Zor", + "meta": { + "refs": [ + "https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat" + ], + "date": "2015" + }, + "uuid": "d22a3e65-75e5-4970-b424-bdc06ec33dba" + }, + { + "description": "Quaverse RAT or QRAT is a fairly new Remote Access Tool (RAT) introduced in May 2015. This RAT is marketed as an undetectable Java RAT. As you might expect from a RAT, the tool is capable of grabbing passwords, key logging and browsing files on the victim's computer. On a regular basis for the past several months, we have observed the inclusion of QRAT in a number of spam campaigns. ", + "value": "Quaverse", + "meta": { + "refs": [ + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/" + ], + "synonyms": [ + "QRAT" + ], + "date": "2015" + }, + "uuid": "3d7cbe3f-ba90-46f7-89a2-21aa52871404" + }, + { + "value": "Heseber", + "meta": { + "date": "2015" + }, + "uuid": "69d1f7e0-d7df-4e86-bec5-b7df696c5bcf" + }, + { + "description": "Cardinal is a remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT. The malicious Excel files use different tactics to get the victims to execute it. ", + "value": "Cardinal", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/", + "https://www.scmagazine.com/cardinal-rats-unique-downloader-allowed-it-to-avoid-detection-for-years/article/651927/", + "https://www.cyber.nj.gov/threat-profiles/trojan-variants/cardinal" + ], + "date": "2015" + }, + "uuid": "cb23f563-a8b9-4427-9884-594e8d3cc836" + }, + { + "description": "Works on all Android, Windows, Linux and Mac devices!", + "value": "OmniRAT", + "meta": { + "refs": [ + "https://omnirat.eu/en/" + ], + "date": "2015" + }, + "uuid": "f091dfcb-07f4-4414-849e-c644e7327d94" + }, + { + "value": "Jfect", + "meta": { + "refs": [ + "https://www.youtube.com/watch?v=qKdoExQFb68" + ], + "date": "2015" + }, + "uuid": "10193e70-8bb7-4e48-b8f0-7692f2052c89" + }, + { + "description": "Trochilus is a remote access trojan (RAT) first identified in October 2015 when attackers used it to infect visitors of a Myanmar website. It was then used in a 2016 cyber-espionage campaign, dubbed \"the Seven Pointed Dagger,\" managed by another group, \"Group 27,\" who also uses the PlugX trojan. Trochilus is primarily spread via emails with a malicious .RAR attachment containing the malware. The trojan's functionality includes a shellcode extension, remote uninstall, a file manager, and the ability to download and execute, upload and execute, and access the system information. Once present on a system, Trochilus can move laterally in the network for better access. This trojan operates in memory only and does not write to the disk, helping it evade detection. ", + "value": "Trochilus", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/", + "http://securityaffairs.co/wordpress/43889/cyber-crime/new-rat-trochilus.html" + ], + "date": "2015" + }, + "uuid": "8204723f-aefc-4c90-9178-8fe53e8d6f33" + }, + { + "description": "Their most commonly used initial attack vector is a simple, yet alarmingly effective, spearphishing attack, infecting unsuspecting victims via a malicious email attachment (usually an executable that has been disguised as something else). From there, Matryoshka runs second stage malware via a dropper and covertly installs a Remote Access Toolkit (RAT). This is done using a reflective loader technique that allows the malware to run in process memory, rather than being written to disk. This not only hides the install of the RAT but also ensures that the RAT will be \u2018reinstalled\u2019 after system restart.", + "value": "Matryoshka", + "meta": { + "refs": [ + "https://www.alienvault.com/blogs/security-essentials/matryoshka-malware-from-copykittens-group" + ], + "date": "2015" + }, + "uuid": "33b86249-5455-4698-a5e5-0c9591e673b9" + }, + { + "description": "First discovered by Trend Micro in June, Mangit is a new malware family being marketed on both the Dark web and open internet. Users have the option to rent the trojan's infrastructure for about $600 per 10-day period or buy the source code for about $8,800. Mangit was allegedly developed by \"Ric\", a Brazilian hacker, who makes himself available via Skype to discuss rental agreements. Once the malware is rented or purchased, the user controls a portion of the Mangit botnet, the trojan, the dropper, an auto-update system, and the server infrastructure to run their attacks. Mangit contains support for nine Brazillian banks including Citibank, HSBC, and Santander. The malware can also be used to steal user PayPal credentials. Mangit has the capability to collect banking credentials, receive SMS texts when a victim is accessing their bank account, and take over victim's browsers. To circumvent two-factor authentication, attackers can use Mangit to lock victim's browsers and push pop-ups to the victim asking for the verification code they just received.", + "value": "Mangit", + "meta": { + "refs": [ + "http://virusguides.com/newly-discovered-mangit-malware-offers-banking-trojan-service/", + "https://www.cyber.nj.gov/threat-profiles/trojan-variants/mangit", + "http://news.softpedia.com/news/new-malware-mangit-surfaces-as-banking-trojan-as-a-service-505458.shtml" + ], + "date": "2016" + }, + "uuid": "05ecfb96-f9ec-4dab-b7d3-86b8cb3fe7b5" + }, + { + "value": "LeGeNd", + "meta": { + "refs": [ + "http://www.connect-trojan.net/2016/08/legend-rat-v1.3-by-ahmed-ibrahim.html", + "http://www.connect-trojan.net/2016/11/legend-rat-v1.9-by-ahmed-ibrahim.html" + ], + "date": "2016" + }, + "uuid": "20336460-828e-4f18-bbe6-14f3579b5f5a" + }, + { + "description": "Revenge v0.1 was a simple tool, according to a researcher known as Rui, who says the malware\u2019s author didn\u2019t bother obfuscating the RAT\u2019s source code. This raised a question mark with the researchers, who couldn\u2019t explain why VirusTotal scanners couldn\u2019t pick it up as a threat right away.Revenge, which was written in Visual Basic, also didn\u2019t feature too many working features, compared to similar RATs. Even Napolean admitted that his tool was still in the early development stages, a reason why he provided the RAT for free.", + "value": "Revenge-RAT", + "meta": { + "refs": [ + "http://www.securitynewspaper.com/2016/08/31/unsophisticated-revenge-rat-released-online-free-exclusive/" + ], + "date": "2016" + }, + "uuid": "80c94c22-b294-4622-8934-e89a235d586f" + }, + { + "value": "vjw0rm 0.1", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/816993165119016960?lang=en" + ], + "date": "2016" + }, + "uuid": "bf86d7a6-80af-4d22-a092-f822bf7201d2" + }, + { + "description": "ROKRAT is a remote access trojan (RAT) that leverages a malicious Hangual Word Processor (HWP) document sent in spearphishing emails to infect hosts. The HWP document contains an embedded Encapsulated PostScript (EPS) object. The object exploits an EPS buffer overflow vulnerability and downloads a binary disguised as a .JPG file. The file is then decoded and the ROKRAT executable is initiated. The trojan uses legitimate Twitter, Yandex, and Mediafire websites for its command and control communications and exfiltration platforms, making them difficult to block globally. Additionally, the platforms use HTTPS connections, making it more difficult to gather additional data on its activities. Cisco's Talos Group identified two email campaigns. In one, attackers send potential victims emails from an email server of a private university in Seoul, South Korea with a sender email address of \"kgf2016@yonsei.ac.kr,\" the contact email for the Korea Global Forum, adding a sense of legitimacy to the email. It is likely that the email address was compromised and used by the attackers in this campaign. The second is less sophisticated and sends emails claiming to be from a free Korean mail service with a the subject line, \"Request Help\" and attached malicious HWP filename, \"I'm a munchon person in Gangwon-do, North Korea.\" The ROKRAT developer uses several techniques to hinder analysis, including identifying tools usually used by malware analysts or within sandbox environments. Once it has infected a device, this trojan can execute commands, move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes. Researchers believe the developer is a native Korean speaker and the campaign is currently targeting Korean-speakers.", + "value": "rokrat", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", + "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html" + ], + "synonyms": [ + "ROKRAT" + ], + "date": "2016" + }, + "uuid": "38e68703-1db4-4b97-80e9-a0afd099da58" + }, + { + "description": "Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT. Twitter user @hkashfi posted a Tweet saying that one of his friends received a file (US Travel Docs Information.jar) from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland (notice the \u201ci\u201d between \u201ctravel\u201d and \u201cdocs\u201d).", + "value": "Qarallax", + "meta": { + "refs": [ + "https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/" + ], + "synonyms": [ + "qrat" + ], + "date": "2016" + }, + "uuid": "179288c9-4ff1-4a7e-b728-35dd2e6aac43" + }, + { + "description": "MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.", + "value": "MoonWind", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/", + "https://attack.mitre.org/wiki/Software/S0149" + ], + "date": "2016" + }, + "uuid": "f266754c-d0aa-4918-95a3-73b28eaa66e3" + }, + { + "description": "Remcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. Since then, it has been updated with more features, and just recently, we\u2019ve seen its payload being distributed in the wild for the first time.", + "value": "Remcos", + "meta": { + "refs": [ + "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2" + ], + "date": "2016" + }, + "uuid": "f647cca0-7416-47e9-8342-94b84dd436cc" + }, + { + "description": "The purpose of the Client Maximus malware is financial fraud. As such, its code aspires to create the capabilities that most banking Trojans have, which allow attackers to monitor victims\u2019 web navigation and interrupt online banking session at will. After taking over a victim\u2019s banking session, an attacker operating this malware can initiate a fraudulent transaction from the account and use social engineering screens to manipulate the unwitting victim into authorizing it.", + "value": "Client Maximus", + "meta": { + "refs": [ + "https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/" + ], + "date": "2016" + }, + "uuid": "d840e5af-3e6b-49af-ab82-fb4f8740bf55" + }, + { + "description": "Thefatrat a massive exploiting tool revealed >> An easy tool to generate backdoor and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most\u2026 ", + "value": "TheFat RAT", + "meta": { + "refs": [ + "https://github.com/Screetsec/TheFatRat" + ], + "date": "2016" + }, + "uuid": "90b4addc-e9ff-412d-899e-7204c89c0bdb" + }, + { + "description": "Since around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by malware \u2018RedLeaves\u2019. It is a new type of malware which has been observed since 2016 in attachments to targeted emails.", + "value": "RedLeaves", + "meta": { + "refs": [ + "http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html" + ], + "date": "2016" + }, + "uuid": "ad6a1b4a-6d79-40d4-adb7-1d7ca697347e" + }, + { + "description": "Dubbed Rurktar, the tool hasn\u2019t had all of its functionality implemented yet, but G DATA says \u201cit is relatively safe to say [it] is intended for use in targeted spying operations.\u201d The malicious program could be used for reconnaissance operations, as well as to spy on infected computers users, and steal or upload files.", + "value": "Rurktar", + "meta": { + "refs": [ + "http://www.securityweek.com/rurktar-malware-espionage-tool-development" + ], + "date": "2017" + }, + "uuid": "40bce827-4049-46e4-8323-3ab58f0f00bc" + }, + { + "description": "RATAttack is a remote access trojan (RAT) that uses the Telegram protocol to support encrypted communication between the victim's machine and the attacker. The Telegram protocol also provides a simple method to communicate to the target, negating the need for port forwarding. Before using RATAttack, the attacker must create a Telegram bot and embed the bot's Telegram token into the trojan's configuration file. When a system is infected with RATAttack, it connects to the bot's Telegram channel. The attacker can then connect to the same channel and manage the RATAttack clients on the infected host machines. The trojan's code was available on GitHub then was taken down by the author on April 19, 2017.", + "value": "RATAttack", + "meta": { + "refs": [ + "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ratattack" + ], + "date": "2017" + }, + "uuid": "2384b62d-312f-43e2-ab47-68c9fcca1541" + }, + { + "description": "So called because the Command and Control (C2) infrastructure from previous variants of the malware was located in Cambodia, as discussed by Roland Dela Paz at Forecpoint here, KHRAT is a Trojan that registers victims using their infected machine\u2019s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.", + "value": "KhRAT", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/" + ], + "date": "2017" + }, + "uuid": "9da7b7b2-f514-4114-83c0-ce3a5f635d2e" + }, + { + "description": "", + "value": "RevCode", + "meta": { + "refs": [ + "https://revcode.eu/" + ], + "date": "2017" + }, + "uuid": "5a3463d3-ff2a-41e2-9186-55da8c88b349" + }, + { + "description": "Android Remote Administration Tool", + "value": "AhNyth Android", + "meta": { + "refs": [ + "https://github.com/AhMyth/AhMyth-Android-RAT" + ], + "date": "2017" + }, + "uuid": "b1df2bb1-7fd4-4a25-93c3-fe1f2c7cf529" + }, + { + "value": "Socket23", + "description": "SOCKET23 was launched from his web site and immedi- ately infected major French corporations between August and October 1998. The virus (distributing the Trojan) was known as W32/HLLP.DeTroie.A (alias W32/Cheval.TCV). Never had a virus so disrupted French industry. The author quickly offered his own remover and made his apologies on his web site (now suppressed). Jean-Christophe X (18) was arrested on Tuesday 15 June 1999 in the Paris area and placed under judicial investigation for \u2018fraudulent intrusion of data in a data processing system, suppression and fraudulent modification of data\u2019", + "meta": { + "refs": [ + "https://www.virusbulletin.com/uploads/pdf/magazine/1999/199908.pdf" + ], + "date": "1998" + }, + "uuid": "da7c818f-5f3b-415c-b885-cf0a71d6e89e" + }, + { + "value": "PowerRAT", + "meta": { + "date": "2017" + }, + "uuid": "b3620451-8871-4078-bbf9-aa5bab641299" + }, + { + "description": "Standard macOS backdoor, offered via a 'malware-as-a-service' model. MacSpy is advertised as the \"most sophisticated Mac spyware ever\", with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn\u2019t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.", + "value": "MacSpy", + "meta": { + "refs": [ + "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service", + "https://objective-see.com/blog/blog_0x25.html" + ], + "date": "2017" + }, + "uuid": "b7cea5fe-d3fe-47cf-ba82-104c90e130ff" + }, + { + "description": "Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection. ", + "value": "DNSMessenger", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2017/03/dnsmessenger.html" + ], + "date": "2017" + }, + "uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab" + }, + { + "value": "PentagonRAT", + "meta": { + "refs": [ + "http://pentagon-rat.blogspot.fr/" + ], + "date": "2017" + }, + "uuid": "d208daa3-6ecd-4faf-8492-04f7b5b2dd28" + }, + { + "description": "NewCore is a remote access trojan first discovered by Fortinet researchers while conducting analysis on a China-linked APT campaign targeting Vietnamese organizations. The trojan is a DLL file, executed after a trojan downloader is installed on the targeted machine. Based on strings in the code, the trojan may be compiled from the publicly-available source code of the PcClient and PcCortr backdoor trojans.", + "value": "NewCore", + "meta": { + "refs": [ + "https://www.cyber.nj.gov/threat-profiles/trojan-variants/newcore", + "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" + ], + "date": "2017" + }, + "uuid": "6a505bfc-87fe-4bd2-97d7-394a3c29611d" + }, + { + "value": "Deeper RAT", + "meta": { + "date": "2010" + }, + "uuid": "d7739c15-07af-4cfd-9eea-a28ed90cbfa5" + }, + { + "value": "Xyligan", + "meta": { + "date": "2012" + }, + "uuid": "0a75f34a-eaca-4ed8-b2f2-3f713c7a0693" + }, + { + "value": "H-w0rm", + "meta": { + "date": "2013" + }, + "uuid": "ca6e2e9b-6b5a-447b-9561-295c807a6484" + }, + { + "description": "On November 8, 2016 a non-disclosed entity in Laos was spear-phished by a group closely related to known Chinese adversaries and most likely affiliated with the Chinese government. The attackers utilized a new kind of Remote Access Trojan (RAT) that has not been previously observed or reported. The new RAT extends the capabilities of traditional RATs by providing complete remote execution of custom commands and programming. htpRAT, uncovered by RiskIQ cyber investigators, is the newest weapon in the Chinese adversary\u2019s arsenal in a campaign against Association of Southeast Asian Nations (ASEAN). Most RATs can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs and manage files. They support a fixed set of commands operators can execute using different command IDs \u2014\u2019file download\u2019 or \u2018file upload,\u2019 for example\u2014and must be completely rebuilt to have different functionality. htpRAT, on the other hand, serves as a conduit for operators to do their job with greater precision and effect. On the Command and Control (C2) server side, threat actors can build new functionality in commands, which can be sent to the malware to execute. This capability makes htpRAT a small, agile, and incredibly dynamic piece of malware. Operators can change functionality, such as searching for a different file on the victim\u2019s network, simply by wrapping commands. ", + "value": "htpRAT", + "meta": { + "refs": [ + "https://cdn.riskiq.com/wp-content/uploads/2017/10/RiskIQ-htpRAT-Malware-Attacks.pdf?_ga=2.159415805.1155855406.1509033001-1017609577.1507615928" + ] + }, + "uuid": "7362581a-a7d1-4060-b225-e227f2df2b60" + }, + { + "description": "According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim\u2019s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.", + "value": "FALLCHILL", + "meta": { + "refs": [ + "https://www.us-cert.gov/ncas/alerts/TA17-318A" + ] + }, + "uuid": "e0bea149-2def-484f-b658-f782a4f94815" + }, + { + "description": "Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called UBoatRAT. The initial version of the RAT, found in May of 2017, was simple HTTP backdoor that uses a public blog service in Hong Kong and a compromised web server in Japan for command and control. The developer soon added various new features to the code and released an updated version in June. The attacks with the latest variants we found in September have following characteristics.\nTargets personnel or organizations related to South Korea or video games industry\nDistributes malware through Google Drive\nObtains C2 address from GitHub\nUses Microsoft Windows Background Intelligent Transfer Service(BITS) to maintain persistence.", + "value": "UBoatRAT", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" + ] + }, + "uuid": "03694200-80c2-433d-9797-09eafcad1075" + }, + { + "description": "The EFF/Lookout report describes CrossRat as a \u201cnewly discovered desktop surveillanceware tool\u2026which is able to target Windows, OSX, and Linux.\u201d", + "value": "CrossRat", + "meta": { + "refs": [ + "https://digitasecurity.com/blog/2018/01/23/crossrat/" + ] + }, + "uuid": "696125b9-7a91-463a-9e6b-b4fc381b8833" + } + ] +} \ No newline at end of file diff --git a/clusters/sector.json b/clusters/sector.json index 66f78af..e080717 100644 --- a/clusters/sector.json +++ b/clusters/sector.json @@ -1,370 +1,489 @@ { - "values": [ - { - "value": "Unknown" - }, - { - "value": "Other" - }, - { - "value": "Academia - University" - }, - { - "value": "Activists" - }, - { - "value": "Aerospace" - }, - { - "value": "Agriculture" - }, - { - "value": "Arts" - }, - { - "value": "Bank" - }, - { - "value": "Chemical" - }, - { - "value": "Citizens" - }, - { - "value": "Civil Aviation" - }, - { - "value": "Country" - }, - { - "value": "Culture" - }, - { - "value": "Data Broker" - }, - { - "value": "Defense" - }, - { - "value": "Development" - }, - { - "value": "Diplomacy" - }, - { - "value": "Education" - }, - { - "value": "Electric" - }, - { - "value": "Electronic" - }, - { - "value": "Employment" - }, - { - "value": "Energy" - }, - { - "value": "Entertainment" - }, - { - "value": "Environment" - }, - { - "value": "Finance" - }, - { - "value": "Food" - }, - { - "value": "Game" - }, - { - "value": "Gas" - }, - { - "value": "Government, Administration" - }, - { - "value": "Health" - }, - { - "value": "Higher education" - }, - { - "value": "Hotels" - }, - { - "value": "Infrastructure" - }, - { - "value": "Intelligence" - }, - { - "value": "IT" - }, - { - "value": "IT - Hacker" - }, - { - "value": "IT - ISP" - }, - { - "value": "IT - Security" - }, - { - "value": "Justice" - }, - { - "value": "Manufacturing" - }, - { - "value": "Maritime" - }, - { - "value": "Military" - }, - { - "value": "Multi-sector" - }, - { - "value": "News - Media" - }, - { - "value": "NGO" - }, - { - "value": "Oil" - }, - { - "value": "Payment" - }, - { - "value": "Pharmacy" - }, - { - "value": "Police - Law enforcement" - }, - { - "value": "Research - Innovation" - }, - { - "value": "Satellite navigation" - }, - { - "value": "Security systems" - }, - { - "value": "Social networks" - }, - { - "value": "Space" - }, - { - "value": "Steel" - }, - { - "value": "Telecoms" - }, - { - "value": "Think Tanks" - }, - { - "value": "Trade" - }, - { - "value": "Transport" - }, - { - "value": "Travel" - }, - { - "value": "Turbine" - }, - { - "value": "Tourism" - }, - { - "value": "Life science" - }, - { - "value": "Biomedical" - }, - { - "value": "High tech" - }, - { - "value": "Opposition" - }, - { - "value": "Political party" - }, - { - "value": "Hospitality" - }, - { - "value": "Automotive" - }, - { - "value": "Metal" - }, - { - "value": "Railway" - }, - { - "value": "Water" - }, - { - "value": "Smart meter" - }, - { - "value": "Retai" - }, - { - "value": "Retail" - }, - { - "value": "Technology" - }, - { - "value": "engineering" - }, - { - "value": "Mining" - }, - { - "value": "Sport" - }, - { - "value": "Restaurant" - }, - { - "value": "Semi-conductors" - }, - { - "value": "Insurance" - }, - { - "value": "Legal" - }, - { - "value": "Shipping" - }, - { - "value": "Logistic" - }, - { - "value": "Construction" - }, - { - "value": "Industrial" - }, - { - "value": "Communication equipment" - }, - { - "value": "Security Service" - }, - { - "value": "Tax firm" - }, - { - "value": "Television broadcast" - }, - { - "value": "Separatists" - }, - { - "value": "Dissidents" - }, - { - "value": "Digital services" - }, - { - "value": "Digital infrastructure" - }, - { - "value": "Security actors" - }, - { - "value": "eCommerce" - }, - { - "value": "Islamic forums" - }, - { - "value": "Journalist" - }, - { - "value": "Streaming service" - }, - { - "value": "Puplishing industry" - }, - { - "value": "Publishing industry" - }, - { - "value": "Islamic organisation" - }, - { - "value": "Casino" - }, - { - "value": "Consulting" - }, - { - "value": "Online marketplace" - }, - { - "value": "DNS service provider" - }, - { - "value": "Veterinary" - }, - { - "value": "Marketing" - }, - { - "value": "Video Sharing" - }, - { - "value": "Advertising" - }, - { - "value": "Investment" - }, - { - "value": "Accounting" - }, - { - "value": "Programming" - }, - { - "value": "Managed Services Provider" - }, - { - "value": "Lawyers" - }, - { - "value": "Civil society" - }, - { - "value": "Petrochemical" - }, - { - "value": "Immigration" - } - ], - "version": 1, - "uuid": "141deecc-ae4e-11e7-8dfe-f3397ba8cc8", - "description": "Activity sectors", - "authors": [ - "Various" - ], - "source": "CERT-EU", - "type": "sector", - "name": "Sector" -} + "values": [ + { + "value": "Unknown", + "uuid": "3ff4e243-7e26-4535-b911-fdda2f724aa2" + }, + { + "value": "Other", + "uuid": "03655488-3d11-4fbf-8fe6-6148aaa01b83" + }, + { + "value": "Academia - University", + "uuid": "98821a86-3c11-474b-afab-3c84af061407" + }, + { + "value": "Activists", + "uuid": "0a62f502-0a51-44ac-82a3-0a965b98c7a9" + }, + { + "value": "Aerospace", + "uuid": "12f90076-f03d-4a2d-9f33-7a274dc462bb" + }, + { + "value": "Agriculture", + "uuid": "e2214f48-0cdd-4110-ba59-e703282adf2c" + }, + { + "value": "Arts", + "uuid": "b5283132-9245-4a5f-b4bc-1937fd80d80a" + }, + { + "value": "Bank", + "uuid": "19cc9f22-e682-4808-a96c-82e573703dff" + }, + { + "value": "Chemical", + "uuid": "306f828d-8eb8-4adb-bee9-3211bf2a4ff7" + }, + { + "value": "Citizens", + "uuid": "f50c1d4d-9d7c-4076-b5d4-e86dd5de4628" + }, + { + "value": "Civil Aviation", + "uuid": "ed13b6c9-c32c-4a58-82a7-ce64dc7fa086" + }, + { + "value": "Country", + "uuid": "89e7e93a-394f-48e3-ba70-501df2f010c0" + }, + { + "value": "Culture", + "uuid": "8c645d4e-8fcc-48a8-9656-5135cfbc10a6" + }, + { + "value": "Data Broker", + "uuid": "0a2c80eb-ae5d-4d5e-b6fd-2703bc6a750d" + }, + { + "value": "Defense", + "uuid": "9df5fb28-2298-4030-9db3-8cdef35bee14" + }, + { + "value": "Development", + "uuid": "96b329b2-2f04-4ce7-8ef2-bf3d898028c9" + }, + { + "value": "Diplomacy", + "uuid": "33cbaf17-7600-47f7-87c7-39640874a1b4" + }, + { + "value": "Education", + "uuid": "19eca562-123d-449b-af33-5a36e5279b12" + }, + { + "value": "Electric", + "uuid": "ac2dad84-5194-41bb-9edd-aad8d42f828f" + }, + { + "value": "Electronic", + "uuid": "04e0eef9-d7e8-4280-86bb-cc9897be8e08" + }, + { + "value": "Employment", + "uuid": "474e6647-ff06-4a9b-8061-a1a43baf8b15" + }, + { + "value": "Energy", + "uuid": "3a94474b-7e23-4e06-9129-faea7ef55af8" + }, + { + "value": "Entertainment", + "uuid": "beb9d5d6-53df-4e99-8fa8-e52880fbe740" + }, + { + "value": "Environment", + "uuid": "8291a998-e888-4351-87ec-c6da6b06bff6" + }, + { + "value": "Finance", + "uuid": "75597b7f-54e8-4f14-88c9-e81485ece483" + }, + { + "value": "Food", + "uuid": "9ade7eff-e2ce-4f05-85de-bb6b70444db4" + }, + { + "value": "Game", + "uuid": "64493b1b-04eb-4f4d-94c7-65c3713131de" + }, + { + "value": "Gas", + "uuid": "851c28c6-2e80-4d63-959b-44037931175b" + }, + { + "value": "Government, Administration", + "uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f" + }, + { + "value": "Health", + "uuid": "4649fe79-cb8f-4aa3-b3e0-e67d4161fcb0" + }, + { + "value": "Higher education", + "uuid": "b822d660-fad3-40da-b4db-9bbf8fe23b27" + }, + { + "value": "Hotels", + "uuid": "909f4de6-91ea-44b6-9c8f-5983fd4877c2" + }, + { + "value": "Infrastructure", + "uuid": "641af156-12d0-4fb4-b89d-971cd454914f" + }, + { + "value": "Intelligence", + "uuid": "7aeb79bf-cc1a-49b5-b2ec-5b1fe4a7e295" + }, + { + "value": "IT", + "uuid": "3f18e5e7-c77d-4890-9d09-412a39a822e5" + }, + { + "value": "IT - Hacker", + "uuid": "342d0a71-584c-4e3f-9b2d-1dc5b5e53e97" + }, + { + "value": "IT - ISP", + "uuid": "872de996-e069-4cd9-b227-d5ca01dc020c" + }, + { + "value": "IT - Security", + "uuid": "6d9dbde3-25de-48b9-ab98-361c4211e6be" + }, + { + "value": "Justice", + "uuid": "784e59ae-89bb-4bc8-82c8-7fab6ca5fb8a" + }, + { + "value": "Manufacturing", + "uuid": "5cacd8fb-a3d4-4ed7-84b5-d69378038591" + }, + { + "value": "Maritime", + "uuid": "82ac6245-8691-4216-a6dd-8c99ebb8ce51" + }, + { + "value": "Military", + "uuid": "5aec0d78-53b2-4fcf-b165-537494b866e4" + }, + { + "value": "Multi-sector", + "uuid": "e10093ef-ccbf-4c24-9093-61e856c05ccd" + }, + { + "value": "News - Media", + "uuid": "a0499041-2b4e-43aa-8fe3-04c2de23abdd" + }, + { + "value": "NGO", + "uuid": "d2f31b1f-a9b1-4f5b-b2b3-1aa2732a0608" + }, + { + "value": "Oil", + "uuid": "5875cc3f-d0a5-445e-abb2-08411fc82522" + }, + { + "value": "Payment", + "uuid": "0d688425-afb5-4f71-8b5a-f9be7d2d1551" + }, + { + "value": "Pharmacy", + "uuid": "8d7aa230-d07f-46e8-a099-6f1753793b84" + }, + { + "value": "Police - Law enforcement", + "uuid": "36432a96-225a-4c90-b0f5-44eaee45e306" + }, + { + "value": "Research - Innovation", + "uuid": "738939b4-c93f-4972-938a-7eb1f60188b9" + }, + { + "value": "Satellite navigation", + "uuid": "40082760-ed9e-4fcb-8bfa-2341d81d5e22" + }, + { + "value": "Security systems", + "uuid": "23429f36-298a-4ac6-8db9-87223bef9cbf" + }, + { + "value": "Social networks", + "uuid": "61809257-9f13-4910-b824-f483c4334bb5" + }, + { + "value": "Space", + "uuid": "595be3ad-bfb3-4bea-b81a-2fef618a1075" + }, + { + "value": "Steel", + "uuid": "cdc8b76f-a8df-4d30-81c1-bdb4935c718d" + }, + { + "value": "Telecoms", + "uuid": "0de938bd-4efa-4c7a-9244-71a79317d142" + }, + { + "value": "Think Tanks", + "uuid": "3c70895b-573b-450c-ad0a-98b0e1a9741e" + }, + { + "value": "Trade", + "uuid": "4fef12b1-0bee-4855-81fb-9b7d2c5a1dec" + }, + { + "value": "Transport", + "uuid": "e93eb8db-72b1-4407-be3e-8cfea8f9efee" + }, + { + "value": "Travel", + "uuid": "33a4f4fe-9bc3-4d43-b5ab-64fcc35882cf" + }, + { + "value": "Turbine", + "uuid": "69b8bfcd-600e-45d8-962a-ce09ed0914ab" + }, + { + "value": "Tourism", + "uuid": "bf0753fd-cb62-440d-a2c5-1adfb037676e" + }, + { + "value": "Life science", + "uuid": "87eae00d-b973-46db-83a2-1f520aebcd44" + }, + { + "value": "Biomedical", + "uuid": "58282b0e-10d4-4294-8845-6f41a1e79730" + }, + { + "value": "High tech", + "uuid": "cd4dfa11-5f4a-4d02-a2cc-35603261e631" + }, + { + "value": "Opposition", + "uuid": "18daafae-a923-4cf5-bf87-d8b35dd297e2" + }, + { + "value": "Political party", + "uuid": "a93f281c-1fb4-471d-88ba-dfe5f3af13ff" + }, + { + "value": "Hospitality", + "uuid": "d1aa1165-981a-4d9f-aece-c130c5034e1b" + }, + { + "value": "Automotive", + "uuid": "79e7755d-d7fa-4bbc-b956-e296c614745e" + }, + { + "value": "Metal", + "uuid": "3a7dae7d-2590-4e80-9c13-c22048a09f8a" + }, + { + "value": "Railway", + "uuid": "02847338-fe03-4073-9f5b-c6fedc244b04" + }, + { + "value": "Water", + "uuid": "26282f7e-8db4-4369-8af1-3981f6a93350" + }, + { + "value": "Smart meter", + "uuid": "62487559-c0e5-4250-af48-d43fa2e61b82" + }, + { + "value": "Retai", + "uuid": "a26ae91b-df10-4c6f-b7bc-14c7ba13f21d" + }, + { + "value": "Retail", + "uuid": "6ce2374c-2c81-4298-a941-666bf4258c00" + }, + { + "value": "Technology", + "uuid": "ff403f0f-67d0-494c-aff9-1d748b7e7d8d" + }, + { + "value": "engineering", + "uuid": "e07cd84c-1d66-4de3-8b93-15fa93f119cc" + }, + { + "value": "Mining", + "uuid": "7508db07-ffd1-4137-9941-718f18370c4c" + }, + { + "value": "Sport", + "uuid": "e8355f07-48c7-497b-9a14-3c2a6325ef3d" + }, + { + "value": "Restaurant", + "uuid": "5eee85f4-f8dc-4dea-9ba2-af1e9f957097" + }, + { + "value": "Semi-conductors", + "uuid": "5b9bb2f4-3e03-46b9-ab65-a7f99b726a32" + }, + { + "value": "Insurance", + "uuid": "c4f35266-0f80-4948-9c0a-f4681ed0d507" + }, + { + "value": "Legal", + "uuid": "94a7ffd4-d2e4-4324-be71-f274e84de089" + }, + { + "value": "Shipping", + "uuid": "64483d7b-71a4-4130-803e-2c614a098d8b" + }, + { + "value": "Logistic", + "uuid": "934bc859-ebc4-48d7-adb7-5accd4f0f965" + }, + { + "value": "Construction", + "uuid": "4b5c230d-70b8-4748-a27c-bec121c436d8" + }, + { + "value": "Industrial", + "uuid": "3153215a-784d-478e-a147-3410a5b43b39" + }, + { + "value": "Communication equipment", + "uuid": "f4e11fd2-f2a2-4d09-8ed4-7ef978ccc03b" + }, + { + "value": "Security Service", + "uuid": "886e517c-0331-445e-9c4b-ebe08aeb01cd" + }, + { + "value": "Tax firm", + "uuid": "138159c5-0b29-46a5-91e2-fe01f7e7111d" + }, + { + "value": "Television broadcast", + "uuid": "13fe4a5d-8d86-4875-b763-02bc5705810f" + }, + { + "value": "Separatists", + "uuid": "d6335a0a-dfa2-4150-804b-86d06139e38a" + }, + { + "value": "Dissidents", + "uuid": "c2f32e7c-6162-4999-ac3b-356007446d18" + }, + { + "value": "Digital services", + "uuid": "5a9da7ef-57b8-4a22-88be-b8b6556fd447" + }, + { + "value": "Digital infrastructure", + "uuid": "a10c2362-3ee9-4741-b5a5-c2fd1c7c730f" + }, + { + "value": "Security actors", + "uuid": "0904672b-c18a-450e-88d6-6a94dd0eb25a" + }, + { + "value": "eCommerce", + "uuid": "7e1ec8ba-24c4-4ad4-a596-7532ecbd0fbd" + }, + { + "value": "Islamic forums", + "uuid": "c529331a-e2a9-4ba9-bb92-d4f88ae3704b" + }, + { + "value": "Journalist", + "uuid": "ea95dce2-c2fc-48cb-95c7-d9200811f030" + }, + { + "value": "Streaming service", + "uuid": "2287c024-9643-43ef-8776-858d3994b9ac" + }, + { + "value": "Puplishing industry", + "uuid": "97e018e8-e03b-48ff-8add-1059f035069a" + }, + { + "value": "Publishing industry", + "uuid": "867cbcb3-8baa-476f-bec5-ceb36e9b1e09" + }, + { + "value": "Islamic organisation", + "uuid": "3929f589-ac94-4a6a-8360-122e06484db8" + }, + { + "value": "Casino", + "uuid": "2e7ad54f-7637-4268-a9b9-cb2975d6bab9" + }, + { + "value": "Consulting", + "uuid": "87ad7866-bdfa-4a22-a4f3-c411fecb1d0d" + }, + { + "value": "Online marketplace", + "uuid": "737a196b-7bab-460b-b199-d6626fca1af1" + }, + { + "value": "DNS service provider", + "uuid": "e48c0afc-afab-4ced-9a8b-a28d4a2efa08" + }, + { + "value": "Veterinary", + "uuid": "4bc73e7c-d174-4faf-9176-d0ccc8ccfbbf" + }, + { + "value": "Marketing", + "uuid": "ee5720bb-c638-46f8-bdf2-55579bf37eb2" + }, + { + "value": "Video Sharing", + "uuid": "55d12d41-c558-4cdf-b2c5-f246403ca68f" + }, + { + "value": "Advertising", + "uuid": "b018010e-272e-4ca9-8551-073618d7f2ad" + }, + { + "value": "Investment", + "uuid": "40d66f31-36c2-42ff-97c6-97b34b5ce04e" + }, + { + "value": "Accounting", + "uuid": "6edffd60-443c-4238-b368-362b47340d8b" + }, + { + "value": "Programming", + "uuid": "855f40e1-074e-4818-8082-696a54adf13f" + }, + { + "value": "Managed Services Provider", + "uuid": "f9260307-f792-4e60-8aa5-e2b4f84adadb" + }, + { + "value": "Lawyers", + "uuid": "56eee132-fc01-410c-ada0-44d713443bf2" + }, + { + "value": "Civil society", + "uuid": "9c1f6a5b-d9de-4cce-a024-7437cb20e24e" + }, + { + "value": "Petrochemical", + "uuid": "1f1c762b-1e39-4989-8679-cc1f9cb08349" + }, + { + "value": "Immigration", + "uuid": "bfd171a5-33f5-4c79-81c5-3dda99dae559" + } + ], + "version": 1, + "uuid": "141deecc-ae4e-11e7-8dfe-f3397ba8cc8", + "description": "Activity sectors", + "authors": [ + "Various" + ], + "source": "CERT-EU", + "type": "sector", + "name": "Sector" +} \ No newline at end of file diff --git a/clusters/tds.json b/clusters/tds.json index 6432908..4341101 100644 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -1,115 +1,124 @@ { - "values": [ - { - "value": "Keitaro", - "description": "Keitaro TDS is among the mostly used TDS in drive by infection chains", - "meta": { - "refs": [ - "https://keitarotds.com/" - ], - "type": [ - "Commercial" - ] - } - }, - { - "value": "BlackTDS", - "description": "BlackTDS is mutualised TDS advertised underground since end of December 2017", - "meta": { - "refs": [ - "https://blacktds[.com/" - ], - "type": [ - "Underground" - ] - } - }, - { - "value": "ShadowTDS", - "description": "ShadowTDS is advertised underground since 2016-02. It's in fact more like a Social Engineering kit focused on Android and embedding a TDS", - "meta": { - "type": [ - "Underground" - ] - } - }, - { - "value": "Sutra", - "description": "Sutra TDS was dominant from 2012 till 2015", - "meta": { - "refs": [ - "http://kytoon.com/sutra-tds.html" - ], - "type": [ - "Commercial" - ] - } - }, - { - "value": "SimpleTDS", - "description": "SimpleTDS is a basic open source TDS", - "meta": { - "refs": [ - "https://sourceforge.net/projects/simpletds/" - ], - "synonyms": [ - "Stds" - ], - "type": [ - "OpenSource" - ] - } - }, - { - "value": "BossTDS", - "description": "BossTDS", - "meta": { - "refs": [ - "http://bosstds.com/" - ], - "type": [ - "Commercial" - ] - } - }, - { - "value": "BlackHat TDS", - "description": "BlackHat TDS is sold underground.", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html" - ], - "type": [ - "Underground" - ] - } - }, - { - "value": "Futuristic TDS", - "description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer", - "meta": { - "type": [ - "Underground" - ] - } - }, - { - "value": "Orchid TDS", - "description": "Orchid TDS was sold underground. Rare usage", - "meta": { - "type": [ - "Underground" - ] - } - } - ], - "version": 3, - "uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01", - "description": "TDS is a list of Traffic Direction System used by adversaries", - "authors": [ - "Kafeine" - ], - "source": "MISP Project", - "type": "tds", - "name": "TDS" -} + "values": [ + { + "value": "Keitaro", + "description": "Keitaro TDS is among the mostly used TDS in drive by infection chains", + "meta": { + "refs": [ + "https://keitarotds.com/" + ], + "type": [ + "Commercial" + ] + }, + "uuid": "94c57fc0-4477-4643-b539-55ba8c455df6" + }, + { + "value": "BlackTDS", + "description": "BlackTDS is mutualised TDS advertised underground since end of December 2017", + "meta": { + "refs": [ + "https://blacktds[.com/" + ], + "type": [ + "Underground" + ] + }, + "uuid": "d5c0cf8d-8ed0-4fa2-a2e6-7274516ea1c8" + }, + { + "value": "ShadowTDS", + "description": "ShadowTDS is advertised underground since 2016-02. It's in fact more like a Social Engineering kit focused on Android and embedding a TDS", + "meta": { + "type": [ + "Underground" + ] + }, + "uuid": "2680a4b1-84d1-4af0-8126-4429a90f8ef8" + }, + { + "value": "Sutra", + "description": "Sutra TDS was dominant from 2012 till 2015", + "meta": { + "refs": [ + "http://kytoon.com/sutra-tds.html" + ], + "type": [ + "Commercial" + ] + }, + "uuid": "67f21003-bbc8-4993-b615-f990e539929f" + }, + { + "value": "SimpleTDS", + "description": "SimpleTDS is a basic open source TDS", + "meta": { + "refs": [ + "https://sourceforge.net/projects/simpletds/" + ], + "synonyms": [ + "Stds" + ], + "type": [ + "OpenSource" + ] + }, + "uuid": "aa179c37-1a8a-4761-841a-cc940e19d7be" + }, + { + "value": "BossTDS", + "description": "BossTDS", + "meta": { + "refs": [ + "http://bosstds.com/" + ], + "type": [ + "Commercial" + ] + }, + "uuid": "5a483b4b-671a-4113-9b99-a115d2d2d644" + }, + { + "value": "BlackHat TDS", + "description": "BlackHat TDS is sold underground.", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html" + ], + "type": [ + "Underground" + ] + }, + "uuid": "36aa3b2d-4927-45e5-be08-f30144fd1909" + }, + { + "value": "Futuristic TDS", + "description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer", + "meta": { + "type": [ + "Underground" + ] + }, + "uuid": "19d8eab9-72d5-4f22-affb-c0d6aed66346" + }, + { + "value": "Orchid TDS", + "description": "Orchid TDS was sold underground. Rare usage", + "meta": { + "type": [ + "Underground" + ] + }, + "uuid": "ec0048f2-a7b2-4a71-83de-6e8fe4fef252" + } + ], + "version": 3, + "uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01", + "description": "TDS is a list of Traffic Direction System used by adversaries", + "authors": [ + "Kafeine" + ], + "source": "MISP Project", + "type": "tds", + "name": "TDS" +} \ No newline at end of file diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 510d44d..f6df7f3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1,2294 +1,2471 @@ { - "values": [ - { - "meta": { - "synonyms": [ - "Comment Panda", - "PLA Unit 61398", - "APT 1", - "APT1", - "Advanced Persistent Threat 1", - "Byzantine Candor", - "Group 3", - "TG-8223", - "Comment Group", - "Brown Fox" - ], - "country": "CN", - "refs": [ - "https://en.wikipedia.org/wiki/PLA_Unit_61398", - "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" - ] - }, - "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", - "value": "Comment Crew" - }, - { - "meta": { - "country": "CN" - }, - "value": "Stalker Panda" - }, - { - "value": "Nitro", - "description": "These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014. ", - "meta": { - "country": "CN", - "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf" - ], - "synonyms": [ - "Covert Grove" - ] - } - }, - { - "value": "Codoso", - "description": "The New York Times described Codoso as: 'A collection of hackers for hire that the security industry has been tracking for years. Over the years, the group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors’ computers with malware.'", - "meta": { - "country": "CN", - "refs": [ - "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", - "http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf", - "http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", - "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html" - ], - "synonyms": [ - "C0d0so", - "APT19", - "APT 19", - "Sunshop Group" - ] - } - }, - { - "meta": { - "refs": [ - "https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf" - ] - }, - "value": "Dust Storm" - }, - { - "value": "Karma Panda", - "description": "Adversary targeting dissident groups in China and its surroundings.", - "meta": { - "country": "CN", - "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - } - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "temp.bottle" - ] - }, - "value": "Keyhole Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" - ] - }, - "value": "Wet Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" - ] - }, - "value": "Foxy Panda", - "description": "Adversary group targeting telecommunication and technology organizations." - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" - ] - }, - "value": "Predator Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" - ] - }, - "value": "Union Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" - ] - }, - "value": "Spicy Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" - ] - }, - "value": "Eloquent Panda" - }, - { - "meta": { - "synonyms": [ - "LadyBoyle" - ] - }, - "value": "Dizzy Panda" - }, - { - "meta": { - "synonyms": [ - "PLA Unit 61486", - "APT 2", - "Group 36", - "APT-2", - "MSUpdater", - "4HCrew", - "SULPHUR", - "TG-6952" - ], - "country": "CN", - "refs": [ - "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" - ] - }, - "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'", - "value": "Putter Panda" - }, - { - "meta": { - "synonyms": [ - "Gothic Panda", - "TG-0110", - "APT 3", - "Group 6", - "UPS Team", - "APT3", - "Buckeye" - ], - "country": "CN", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", - "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" - ] - }, - "value": "UPS", - "description": "Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'" - }, - { - "meta": { - "synonyms": [ - "DUBNIUM", - "Fallout Team", - "Karba", - "Luder", - "Nemim", - "Tapaoux" - ], - "refs": [ - "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", - "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", - "https://securelist.com/blog/research/66779/the-darkhotel-apt/", - "http://drops.wooyun.org/tips/11726", - "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/" - ] - }, - "value": "DarkHotel", - "description": "Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'" - }, - { - "meta": { - "synonyms": [ - "Numbered Panda", - "TG-2754", - "BeeBus", - "Group 22", - "DynCalc", - "Calc Team", - "DNSCalc", - "Crimson Iron", - "APT12", - "APT 12" - ], - "country": "CN", - "refs": [ - "http://www.crowdstrike.com/blog/whois-numbered-panda/" - ] - }, - "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", - "value": "IXESHE" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" - ] - }, - "value": "APT 16" - }, - { - "meta": { - "synonyms": [ - "APT 17", - "Deputy Dog", - "Group 8", - "APT17", - "Hidden Lynx", - "Tailgater Team" - ], - "country": "CN", - "refs": [ - "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf" - ] - }, - "value": "Aurora Panda", - "description": "FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'" - }, - { - "meta": { - "synonyms": [ - "Dynamite Panda", - "TG-0416", - "APT 18", - "SCANDIUM", - "PLA Navy", - "APT18" - ], - "country": "CN", - "refs": [ - "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828" - ] - }, - "value": "Wekby", - "description": "Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'" - }, - { - "meta": { - "synonyms": [ - "Operation Tropic Trooper" - ], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" - ] - }, - "value": "Tropic Trooper", - "description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'" - }, - { - "meta": { - "synonyms": [ - "Winnti Group", - "Tailgater Team", - "Group 72", - "Group72", - "Tailgater", - "Ragebeast", - "Blackfly", - "Lead", - "Wicked Spider", - "APT17", - "APT 17", - "Dogfish", - "Deputy Dog", - "Wicked Panda", - "Barium" - ], - "country": "CN", - "refs": [ - "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", - "http://williamshowalter.com/a-universal-windows-bootkit/", - "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp" - ] - }, - "value": "Axiom", - "description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'" - }, - { - "meta": { - "synonyms": [ - "Deep Panda", - "WebMasters", - "APT 19", - "KungFu Kittens", - "Black Vine", - "Group 13", - "PinkPanther", - "Sh3llCr3w" - ], - "country": "CN", - "refs": [ - "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "description": "Adversary group targeting financial, technology, non-profit organisations.", - "value": "Shell Crew" - }, - { - "meta": { - "synonyms": [ - "PLA Unit 78020", - "APT 30", - "APT30", - "Override Panda", - "Camerashy", - "APT.Naikon" - ], - "country": "CN", - "refs": [ - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" - ] - }, - "value": "Naikon", - "description": "Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'" - }, - { - "meta": { - "synonyms": [ - "Spring Dragon", - "ST Group" - ], - "country": "CN", - "refs": [ - "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", - "https://securelist.com/spring-dragon-updated-activity/79067/" - ] - }, - "value": "Lotus Blossom" - }, - { - "meta": { - "synonyms": [ - "Elise" - ], - "country": "CN", - "refs": [ - "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" - ] - }, - "value": "Lotus Panda" - }, - { - "meta": { - "synonyms": [ - "Black Vine", - "TEMP.Avengers" - ], - "country": "CN", - "refs": [ - "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" - ] - }, - "value": "Hurricane Panda" - }, - { - "meta": { - "synonyms": [ - "TG-3390", - "APT 27", - "TEMP.Hippo", - "Group 35", - "Bronze Union", - "ZipToken", - "HIPPOTeam", - "APT27", - "Operation Iron Tiger", - "Iron Tiger APT" - ], - "country": "CN", - "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", - "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", - "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/" - ] - }, - "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", - "value": "Emissary Panda" - }, - { - "meta": { - "synonyms": [ - "APT10", - "APT 10", - "menuPass", - "happyyongzi", - "POTASSIUM", - "DustStorm", - "Red Apollo", - "CVNX" - ], - "country": "CN", - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" - ] - }, - "value": "Stone Panda" - }, - { - "meta": { - "synonyms": [ - "APT 9", - "Flowerlady/Flowershow", - "Flowerlady", - "Flowershow" - ], - "country": "CN", - "refs": [ - "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/" - ] - }, - "value": "Nightshade Panda" - }, - { - "meta": { - "synonyms": [ - "Goblin Panda", - "Cycldek" - ], - "country": "CN", - "refs": [ - "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/" - ] - }, - "value": "Hellsing" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://kc.mcafee.com/corporate/index?page=content&id=KB71150" - ] - }, - "value": "Night Dragon" - }, - { - "meta": { - "synonyms": [ - "Vixen Panda", - "Ke3Chang", - "GREF", - "Playful Dragon", - "APT 15", - "Metushy", - "Lurid", - "Social Network Team" - ], - "country": "CN", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", - "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/" - ] - }, - "value": "Mirage" - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "APT14", - "APT 14", - "QAZTeam", - "ALUMINUM" - ], - "refs": [ - "http://www.crowdstrike.com/blog/whois-anchor-panda/" - ], - "motive": "Espionage" - }, - "value": "Anchor Panda", - "description": "PLA Navy" - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "APT 21" - ], - "refs": [ - "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/" - ] - }, - "value": "NetTraveler" - }, - { - "meta": { - "synonyms": [ - "IceFog", - "Dagger Panda" - ], - "country": "CN", - "refs": [ - "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/", - "https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/" - ] - }, - "value": "Ice Fog", - "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well." - }, - { - "meta": { - "synonyms": [ - "PittyTiger", - "MANGANESE" - ], - "country": "CN", - "refs": [ - "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2" - ] - }, - "value": "Pitty Panda", - "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials" - }, - { - "value": "Roaming Tiger", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" - ] - } - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "Sneaky Panda" - ] - }, - "value": "Beijing Group" - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "Shrouded Crossbow" - ] - }, - "value": "Radio Panda" - }, - { - "value": "APT.3102", - "meta": { - "country": "CN", - "refs": [ - "http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/" - ] - } - }, - { - "meta": { - "synonyms": [ - "PLA Navy", - "APT4", - "APT 4", - "Wisp Team", - "Getkys", - "SykipotGroup", - "Wkysol" - ], - "country": "CN", - "refs": [ - "http://www.crowdstrike.com/blog/whois-samurai-panda/" - ] - }, - "value": "Samurai Panda" - }, - { - "meta": { - "country": "CN" - }, - "value": "Impersonating Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/" - ], - "synonyms": [ - "APT20", - "APT 20", - "APT8", - "APT 8", - "TH3Bug" - ] - }, - "value": "Violin Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "description": "A group targeting dissident groups in China and at the boundaries.", - "value": "Toxic Panda" - }, - { - "meta": { - "synonyms": [ - "Admin338", - "Team338", - "MAGNESIUM", - "admin@338" - ], - "country": "CN", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", - "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" - ] - }, - "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.", - "value": "Temper Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india", - "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" - ], - "synonyms": [ - "APT23", - "KeyBoy" - ] - }, - "value": "Pirate Panda" - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "SaffronRose", - "Saffron Rose", - "AjaxSecurityTeam", - "Ajax Security Team", - "Group 26" - ], - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf", - "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" - ] - }, - "value": "Flying Kitten", - "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry." - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "ITSecTeam", - "Threat Group 2889", - "TG-2889", - "Ghambar" - ], - "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" - ] - }, - "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.", - "value": "Cutting Kitten" - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "Newscaster", - "Parastoo", - "iKittens", - "Group 83", - "Newsbeef" - ], - "refs": [ - "https://en.wikipedia.org/wiki/Operation_Newscaster", - "https://iranthreats.github.io/resources/macdownloader-macos-malware/", - "https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/", - "https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/", - "https://cryptome.org/2012/11/parastoo-hacks-iaea.htm", - "https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf", - "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/", - "https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf", - "https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks" - ] - }, - "value": "Charming Kitten", - "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors." - }, - { - "meta": { - "country": "IR", - "synonyms": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" - ] - }, - "description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.", - "value": "APT33" - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "Group 42" - ], - "refs": [ - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" - ] - }, - "description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", - "value": "Magic Kitten" - }, - { - "meta": { - "synonyms": [ - "TEMP.Beanie", - "Operation Woolen Goldfish", - "Thamar Reservoir", - "Timberworm" - ], - "country": "IR", - "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", - "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", - "http://www.clearskysec.com/thamar-reservoir/", - "https://citizenlab.org/2015/08/iran_two_factor_phishing/", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", - "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://en.wikipedia.org/wiki/Rocket_Kitten" - ] - }, - "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", - "value": "Rocket Kitten" - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "Operation Cleaver", - "Tarh Andishan", - "Alibaba", - "2889", - "TG-2889", - "Cobalt Gypsy", - "Ghambar", - "Cutting Kitten" - ], - "refs": [ - "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", - "https://www.secureworks.com/research/the-curious-case-of-mia-ash", - "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" - ] - }, - "value": "Cleaver", - "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies." - }, - { - "meta": { - "country": "IR" - }, - "value": "Sands Casino" - }, - { - "meta": { - "country": "TN", - "synonyms": [ - "FallagaTeam" - ], - "motive": "Hacktivism-Nationalist" - }, - "value": "Rebel Jackal", - "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region." - }, - { - "meta": { - "country": "AE", - "synonyms": [ - "Vikingdom" - ] - }, - "value": "Viking Jackal" - }, - { - "meta": { - "synonyms": [ - "APT 28", - "APT28", - "Pawn Storm", - "Fancy Bear", - "Sednit", - "TsarTeam", - "TG-4127", - "Group-4127", - "STRONTIUM", - "TAG_0700", - "Swallowtail", - "IRON TWILIGHT", - "Group 74" - ], - "country": "RU", - "refs": [ - "https://en.wikipedia.org/wiki/Sofacy_Group", - "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", - "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/" - ] - }, - "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", - "value": "Sofacy" - }, - { - "meta": { - "synonyms": [ - "Dukes", - "Group 100", - "Cozy Duke", - "CozyDuke", - "EuroAPT", - "CozyBear", - "CozyCar", - "Cozer", - "Office Monkeys", - "OfficeMonkeys", - "APT29", - "Cozy Bear", - "The Dukes", - "Minidionis", - "SeaDuke", - "Hammer Toss" - ], - "country": "RU", - "refs": [ - "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", - "https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", - "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" - ] - }, - "value": "APT 29", - "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering '" - }, - { - "meta": { - "synonyms": [ - "Turla", - "Snake", - "Venomous Bear", - "Group 88", - "Waterbug", - "WRAITH", - "Turla Team", - "Uroburos", - "Pfinet", - "TAG_0530", - "KRYPTON", - "Hippo Team" - ], - "refs": [ - "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", - "https://www.circl.lu/pub/tr-25/", - "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", - "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", - "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", - "https://securelist.com/blog/research/67962/the-penquin-turla-2/", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", - "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" - ], - "country": "RU" - }, - "value": "Turla Group", - "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'" - }, - { - "meta": { - "synonyms": [ - "Dragonfly", - "Crouching Yeti", - "Group 24", - "Havex", - "CrouchingYeti", - "Koala Team" - ], - "country": "RU", - "refs": [ - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", - "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", - "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/" - ] - }, - "description": "A Russian group that collects intelligence on the energy industry.", - "value": "Energetic Bear" - }, - { - "meta": { - "synonyms": [ - "Sandworm Team", - "Black Energy", - "BlackEnergy", - "Quedagh", - "Voodoo Bear", - "TEMP.Noble" - ], - "country": "RU", - "refs": [ - "http://www.isightpartners.com/2014/10/cve-2014-4114/", - "http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.us-cert.gov/ncas/alerts/TA17-163A", - "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid" - ] - }, - "value": "Sandworm" - }, - { - "meta": { - "country": "RU", - "refs": [ - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" - ], - "synonyms": [ - "Sandworm" - ] - }, - "value": "TeleBots", - "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group." - }, - { - "meta": { - "synonyms": [ - "Carbanak", - "Carbon Spider", - "FIN7" - ], - "country": "RU", - "refs": [ - "https://en.wikipedia.org/wiki/Carbanak", - "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", - "http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", - "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns" - ], - "motive": "Cybercrime" - }, - "description": "Groups targeting financial organizations or people with significant financial assets.", - "value": "Anunak" - }, - { - "meta": { - "synonyms": [ - "TeamSpy", - "Team Bear", - "Berserk Bear", - "Anger Bear" - ], - "country": "RU", - "refs": [ - "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/" - ] - }, - "value": "TeamSpy Crew" - }, - { - "meta": { - "country": "RU", - "refs": [ - "http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/" - ] - }, - "value": "BuhTrap" - }, - { - "meta": { - "country": "RU" - }, - "value": "Berserk Bear" - }, - { - "meta": { - "country": "RO", - "synonyms": [ - "FIN4" - ] - }, - "value": "Wolf Spider" - }, - { - "meta": { - "country": "RU" - }, - "value": "Boulder Bear", - "description": "First observed activity in December 2013." - }, - { - "meta": { - "country": "RU" - }, - "value": "Shark Spider", - "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets." - }, - { - "meta": { - "country": "RU", - "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "value": "Union Spider", - "description": "Adversary targeting manufacturing and industrial organizations." - }, - { - "meta": { - "country": "KP", - "synonyms": [ - "OperationTroy", - "Guardian of Peace", - "GOP", - "WHOis Team" - ], - "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "value": "Silent Chollima" - }, - { - "meta": { - "country": "KP", - "synonyms": [ - "Operation DarkSeoul", - "Dark Seoul", - "Hidden Cobra", - "Hastati Group", - "Andariel", - "Unit 121", - "Bureau 121", - "NewRomanic Cyber Army Team", - "Bluenoroff" - ], - "refs": [ - "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/", - "https://www.us-cert.gov/ncas/alerts/TA17-164A", - "https://securelist.com/lazarus-under-the-hood/77908/", - "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf", - "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", - "https://www.us-cert.gov/ncas/alerts/TA17-318A", - "https://www.us-cert.gov/ncas/alerts/TA17-318B" - ] - }, - "value": "Lazarus Group", - "description": "Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman." - }, - { - "meta": { - "synonyms": [ - "Appin", - "OperationHangover" - ], - "country": "IN", - "refs": [ - "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" - ] - }, - "value": "Viceroy Tiger" - }, - { - "meta": { - "synonyms": [ - "DD4BC", - "Ambiorx" - ], - "country": "US" - }, - "value": "Pizzo Spider" - }, - { - "meta": { - "synonyms": [ - "TunisianCyberArmy" - ], - "country": "TN", - "refs": [ - "https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" - ] - }, - "value": "Corsair Jackal" - }, - { - "value": "SNOWGLOBE", - "meta": { - "country": "FR", - "refs": [ - "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/", - "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france", - "http://www.cyphort.com/evilbunny-malware-instrumented-lua/", - "http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", - "https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html" - ], - "synonyms": [ - "Animal Farm" - ] - }, - "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007." - }, - { - "meta": { - "synonyms": [ - "SyrianElectronicArmy", - "SEA" - ], - "country": "SY", - "refs": [ - "https://en.wikipedia.org/wiki/Syrian_Electronic_Army" - ] - }, - "description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear", - "value": "Deadeye Jackal" - }, - { - "meta": { - "country": "PK", - "synonyms": [ - "C-Major" - ], - "refs": [ - "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf" - ] - }, - "value": "Operation C-Major", - "description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro." - }, - { - "meta": { - "refs": [ - "https://citizenlab.org/2016/05/stealth-falcon/" - ], - "synonyms": [ - "FruityArmor" - ], - "country": "AE" - }, - "value": "Stealth Falcon", - "description": "Group targeting Emirati journalists, activists, and dissidents." - }, - { - "meta": { - "synonyms": [ - "Operation Daybreak", - "Operation Erebus" - ], - "refs": [ - "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/" - ] - }, - "value": "ScarCruft", - "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer." - }, - { - "meta": { - "refs": [ - "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" - ], - "synonyms": [ - "Skipper", - "Popeye" - ], - "country": "RU" - }, - "value": "Pacifier APT", - "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail." - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" - ] - }, - "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder", - "value": "HummingBad" - }, - { - "meta": { - "synonyms": [ - "Chinastrats", - "Patchwork", - "Monsoon", - "Sarit" - ], - "refs": [ - "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", - "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", - "https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign", - "https://www.cymmetria.com/patchwork-targeted-attack/" - ] - }, - "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", - "value": "Dropping Elephant" - }, - { - "meta": { - "refs": [ - "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" - ] - }, - "description": "Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.", - "value": "Operation Transparent Tribe" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://attack.mitre.org/wiki/Groups", - "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" - ] - }, - "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", - "value": "Scarlet Mimic" - }, - { - "meta": { - "refs": [ - "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/", - "https://attack.mitre.org/wiki/Groups" - ], - "country": "BR" - }, - "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", - "value": "Poseidon Group" - }, - { - "meta": { - "synonyms": [ - "Moafee" - ], - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", - "https://attack.mitre.org/wiki/Groups", - "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", - "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", - "http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" - ], - "country": "CN" - }, - "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", - "value": "DragonOK" - }, - { - "meta": { - "synonyms": [ - "TG-3390", - "Emissary Panda" - ], - "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", - "https://attack.mitre.org" - ], - "country": "CN" - }, - "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", - "value": "Threat Group-3390" - }, - { - "meta": { - "synonyms": [ - "Strider", - "Sauron" - ], - "refs": [ - "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/" - ] - }, - "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.", - "value": "ProjectSauron" - }, - { - "meta": { - "refs": [ - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://attack.mitre.org/wiki/Group/G0013" - ], - "synonyms": [ - "APT30" - ], - "country": "CN" - }, - "value": "APT 30", - "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches." - }, - { - "meta": { - "country": "CN" - }, - "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns", - "value": "TA530" - }, - { - "meta": { - "refs": [ - "https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/" - ], - "country": "RU" - }, - "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", - "value": "GCMAN" - }, - { - "meta": { - "refs": [ - "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", - "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" - ], - "country": "CN" - }, - "description": "Suckfly is a China-based threat group that has been active since at least 2014", - "value": "Suckfly" - }, - { - "meta": { - "refs": [ - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" - ] - }, - "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.", - "value": "FIN6" - }, - { - "meta": { - "country": "LY" - }, - "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", - "value": "Libyan Scorpions" - }, - { - "meta": { - "synonyms": [ - "CorporacaoXRat", - "CorporationXRat" - ], - "refs": [ - "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" - ] - }, - "value": "TeamXRat" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", - "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", - "http://www.clearskysec.com/oilrig/", - "https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", - "http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability%20", - "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a", - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/", - "https://researchcenter.paloaltonetworks.com/2017/12/unit42-introducing-the-adversary-playbook-first-up-oilrig/", - "https://pan-unit42.github.io/playbook_viewer/", - "https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json" - ], - "country": "IR", - "synonyms": [ - "Twisted Kitten", - "Cobalt Gypsy" - ] - }, - "value": "OilRig", - "description": "OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. \r\n\r\nOilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:\r\n\r\n-Organized evasion testing used the during development of their tools.\r\n-Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.\r\n-Custom web-shells and backdoors used to persistently access servers.\r\n\r\nOilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access." - }, - { - "meta": { - "refs": [ - "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" - ] - }, - "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", - "value": "Volatile Cedar" - }, - { - "meta": { - "synonyms": [ - "Reuse team", - "Dancing Salome" - ] - }, - "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.", - "value": "Malware reusers" - }, - { - "value": "TERBIUM", - "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" - ] - } - }, - { - "value": "Molerats", - "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", - "http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks" - ], - "synonyms": [ - "Gaza Hackers Team", - "Gaza cybergang", - "Operation Molerats", - "Extreme Jackal", - "Moonlight" - ] - } - }, - { - "value": "PROMETHIUM", - "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", - "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users" - ], - "synonyms": [ - "StrongPity" - ], - "country": "TR" - } - }, - { - "value": "NEODYMIUM", - "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" - ] - } - }, - { - "value": "Packrat", - "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.", - "meta": { - "refs": [ - "https://citizenlab.org/2015/12/packrat-report/" - ] - } - }, - { - "value": "Cadelle", - "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" - ], - "country": "IR" - } - }, - { - "value": "Chafer", - "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" - ], - "country": "IR" - } - }, - { - "value": "PassCV", - "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on. ", - "meta": { - "refs": [ - "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" - ], - "country": "CN" - } - }, - { - "value": "Sath-ı Müdafaa", - "description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.", - "meta": { - "country": "TR", - "motive": "Hacktivists-Nationalists" - } - }, - { - "value": "Aslan Neferler Tim", - "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam", - "meta": { - "country": "TR", - "synonyms": [ - "Lion Soldiers Team", - "Phantom Turk" - ], - "motive": "Hacktivists-Nationalists" - } - }, - { - "value": "Ayyıldız Tim", - "description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.", - "meta": { - "country": "TR", - "synonyms": [ - "Crescent and Star" - ], - "motive": "Hacktivists-Nationalists" - } - }, - { - "value": "TurkHackTeam", - "description": "Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ", - "meta": { - "country": "TR", - "synonyms": [ - "Turk Hack Team" - ], - "motive": "Hacktivists-Nationalists" - } - }, - { - "value": "Equation Group", - "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame", - "meta": { - "country": "US", - "refs": [ - "https://en.wikipedia.org/wiki/Equation_Group" - ], - "synonyms": [ - "Tilded Team", - "Lamberts", - "EQGRP" - ] - } - }, - { - "value": "Greenbug", - "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" - ], - "country": "IR" - } - }, - { - "value": "Gamaredon Group", - "description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution" - ] - } - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "Zhenbao", - "TEMP.Zhenbao" - ], - "refs": [ - "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242" - ] - }, - "value": "Hammer Panda", - "description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia." - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "Operation Mermaid" - ], - "refs": [ - "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", - "https://iranthreats.github.io/", - "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" - ] - }, - "value": "Infy", - "description": "Infy is a group of suspected Iranian origin." - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", - "https://iranthreats.github.io/" - ] - }, - "value": "Sima", - "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora." - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "Cloudy Omega" - ], - "refs": [ - "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/", - "http://www.kaspersky.com/about/news/virus/2015/Blue-Termite-A-Sophisticated-Cyber-Espionage-Campaign-is-After-High-Profile-Japanese-Targets" - ] - }, - "value": "Blue Termite", - "description": "Blue Termite is a group of suspected Chinese origin active in Japan." - }, - { - "meta": { - "country": "UA", - "refs": [ - "http://www.welivesecurity.com/2016/05/18/groundbait" - ] - }, - "value": "Groundbait", - "description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics." - }, - { - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", - "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/" - ], - "country": "US" - }, - "value": "Longhorn", - "description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally." - }, - { - "meta": { - "refs": [ - "https://www.f-secure.com/documents/996508/1030745/callisto-group" - ] - }, - "value": "Callisto", - "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions." - }, - { - "meta": { - "synonyms": [ - "OceanLotus Group", - "Ocean Lotus", - "Cobalt Kitty", - "APT-C-00", - "SeaLotus", - "APT-32", - "APT 32" - ], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", - "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/", - "https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/", - "https://www.brighttalk.com/webcast/10703/261205" - ] - }, - "value": "APT32", - "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests." - }, - { - "value": "SilverTerrier", - "description": "As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available. ", - "meta": { - "country": "NG", - "refs": [ - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf" - ] - } - }, - { - "value": "WildNeutron", - "description": "A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks.", - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks", - "https://securelist.com/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/", - "https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/" - ], - "synonyms": [ - "Butterfly", - "Morpho", - "Sphinx Moth" - ] - } - }, - { - "value": "PLATINUM", - "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.", - "meta": { - "refs": [ - "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", - "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/" - ], - "synonyms": [ - "TwoForOne" - ] - } - }, - { - "value": "ELECTRUM", - "description": "Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comprehensive report and this industry report will not get into sensitive technical details but instead focus on information needed for defense and impact awareness.", - "meta": { - "refs": [ - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - ], - "synonyms": [ - "Sandworm" - ] - } - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", - "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", - "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf", - "http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf" - ] - }, - "description": "FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.", - "value": "FIN8" - }, - { - "value": "El Machete", - "description": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.", - "meta": { - "refs": [ - "https://securelist.com/blog/research/66108/el-machete/", - "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html" - ] - } - }, - { - "value": "Cobalt", - "description": "A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.", - "meta": { - "refs": [ - "https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/" - ], - "synonyms": [ - "Cobalt group", - "Cobalt gang" - ] - } - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter" - ] - }, - "value": "TA459" - }, - { - "meta": { - "refs": [ - "https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter" - ], - "country": "RU" - }, - "value": "Cyber Berkut" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==", - "https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/" - ] - }, - "value": "Tonto Team" - }, - { - "value": "Danti", - "meta": { - "refs": [ - "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" - ] - } - }, - { - "value": "APT5", - "meta": { - "refs": [ - "https://www.fireeye.com/current-threats/apt-groups.html" - ] - } - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "APT22" - ], - "refs": [ - "http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild" - ] - }, - "value": "APT 22" - }, - { - "meta": { - "synonyms": [ - "Bronze Butler" - ], - "country": "CN", - "refs": [ - "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan", - "https://www.secureworks.jp/resources/rp-bronze-butler", - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", - "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" - ] - }, - "value": "Tick" - }, - { - "meta": { - "synonyms": [ - "APT26", - "Hippo Team", - "JerseyMikes" - ], - "country": "CN" - }, - "value": "APT 26" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" - ] - }, - "value": "Sabre Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?" - ] - }, - "value": "Big Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" - ] - }, - "value": "Poisonous Panda" - }, - { - "value": "Ghost Jackal", - "meta": { - "refs": [ - "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - } - }, - { - "meta": { - "country": "KP", - "refs": [ - "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" - ] - }, - "value": "TEMP.Hermit" - }, - { - "meta": { - "synonyms": [ - "Superman" - ], - "country": "CN", - "refs": [ - "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", - "https://www.threatconnect.com/china-superman-apt/" - ] - }, - "value": "Mofang" - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "Slayer Kitten" - ], - "refs": [ - "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf", - "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/", - "http://www.clearskysec.com/copykitten-jpost/", - "http://www.clearskysec.com/tulip/" - ] - }, - "value": "CopyKittens" - }, - { - "value": "EvilPost", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" - ] - } - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" - ] - }, - "value": "SVCMONDR", - "description": "The referenced link links this group to Temper Panda" - }, - { - "value": "Test Panda", - "meta": { - "country": "CN", - "refs": [ - "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" - ] - } - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/", - "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/" - ] - }, - "value": "Madi" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" - ] - }, - "value": "Electric Panda" - }, - { - "meta": { - "country": "CN", - "synonyms": [ - "PLA Navy", - "Sykipot" - ], - "refs": [ - "https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments", - "http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", - "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919" - ] - }, - "value": "Maverick Panda" - }, - { - "meta": { - "country": "KP", - "refs": [ - "http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/" - ] - }, - "value": "Kimsuki" - }, - { - "value": "Snake Wine", - "meta": { - "refs": [ - "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" - ] - } - }, - { - "value": "Careto", - "meta": { - "refs": [ - "https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/" - ], - "synonyms": [ - "The Mask" - ] - } - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" - ] - }, - "value": "Gibberish Panda" - }, - { - "meta": { - "country": "KP", - "refs": [ - "http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml" - ] - }, - "value": "OnionDog" - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "Group 41" - ], - "refs": [ - "http://www.crowdstrike.com/blog/whois-clever-kitten/" - ] - }, - "value": "Clever Kitten" - }, - { - "meta": { - "refs": [ - "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "value": "Andromeda Spider" - }, - { - "value": "Cyber Caliphate Army", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division", - "https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697" - ], - "synonyms": [ - "Islamic State Hacking Division", - "CCA", - "United Cyber Caliphate", - "UUC" - ] - } - }, - { - "meta": { - "country": "RU", - "refs": [ - "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" - ] - }, - "value": "Magnetic Spider" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf" - ] - }, - "value": "Group 27" - }, - { - "meta": { - "refs": [ - "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "value": "Singing Spider" - }, - { - "meta": { - "country": "IR", - "synonyms": [ - "Fraternal Jackal" - ], - "refs": [ - "http://pastebin.com/u/QassamCyberFighters", - "http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html" - ] - }, - "value": "Cyber fighters of Izz Ad-Din Al Qassam" - }, - { - "meta": { - "synonyms": [ - "1.php Group", - "APT6" - ], - "country": "CN" - }, - "value": "APT 6" - }, - { - "value": "AridViper", - "meta": { - "refs": [ - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf", - "http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html", - "https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/", - "https://ti.360.com/upload/report/file/APTSWXLVJ8fnjoxck.pdf", - "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/", - "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", - "https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View", - "https://www.ci-project.org/blog/2017/3/4/arid-viper", - "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", - "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" - ], - "synonyms": [ - "Desert Falcon", - "Arid Viper", - "APT-C-23" - ] - } - }, - { - "meta": { - "refs": [ - "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" - ] - }, - "value": "Dextorous Spider" - }, - { - "value": "Unit 8200", - "meta": { - "country": "IL", - "refs": [ - "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", - "https://archive.org/details/Stuxnet" - ], - "synonyms": [ - "Duqu Group" - ] - } - }, - { - "meta": { - "refs": [ - "https://securelist.com/introducing-whitebear/81638/" - ], - "synonyms": [ - "Skipper Turla" - ], - "country": "RU" - }, - "value": "White Bear" - }, - { - "meta": { - "country": "CN", - "refs": [ - "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" - ] - }, - "value": "Pale Panda" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" - ] - }, - "value": "Mana Team" - }, - { - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" - ] - }, - "description": "Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ", - "value": "Sowbug" - }, - { - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" - ] - }, - "description": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.", - "value": "MuddyWater" - }, - { - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/", - "https://www.group-ib.com/resources/reports/money-taker.html", - "https://www.group-ib.com/blog/moneytaker" - ] - }, - "description": "In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.", - "value": "MoneyTaker" - }, - { - "value": "Microcin", - "description": "We’re already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago – we named it ‘Microcin’ after microini, one of the malicious components used in it.", - "meta": { - "refs": [ - "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", - "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" - ] - } - }, - { - "meta": { - "country": "LB", - "refs": [ - "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" - ] - }, - "value": "Dark Caracal", - "description": "Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information." - }, - { - "value": "Nexus Zeta", - "description": "Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.", - "meta": { - "refs": [ - "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7" - ] - } - } - ], - "name": "Threat actor", - "type": "threat-actor", - "source": "MISP Project", - "authors": [ - "Alexandre Dulaunoy", - "Florian Roth", - "Thomas Schreck", - "Timo Steffens", - "Various" - ], - "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", - "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 33 -} + "values": [ + { + "meta": { + "synonyms": [ + "Comment Panda", + "PLA Unit 61398", + "APT 1", + "APT1", + "Advanced Persistent Threat 1", + "Byzantine Candor", + "Group 3", + "TG-8223", + "Comment Group", + "Brown Fox" + ], + "country": "CN", + "refs": [ + "https://en.wikipedia.org/wiki/PLA_Unit_61398", + "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" + ] + }, + "description": "PLA Unit 61398 (Chinese: 61398\u90e8\u961f, Pinyin: 61398 b\u00f9du\u00ec) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", + "value": "Comment Crew", + "uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be" + }, + { + "meta": { + "country": "CN" + }, + "value": "Stalker Panda", + "uuid": "36843742-adf1-427c-a7c0-067d74b4aeaf" + }, + { + "value": "Nitro", + "description": "These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014. ", + "meta": { + "country": "CN", + "refs": [ + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf" + ], + "synonyms": [ + "Covert Grove" + ] + }, + "uuid": "0b06fb39-ed3d-4868-ac42-12fff6df2c80" + }, + { + "value": "Codoso", + "description": "The New York Times described Codoso as: 'A collection of hackers for hire that the security industry has been tracking for years. Over the years, the group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors\u2019 computers with malware.'", + "meta": { + "country": "CN", + "refs": [ + "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", + "http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf", + "http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", + "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html" + ], + "synonyms": [ + "C0d0so", + "APT19", + "APT 19", + "Sunshop Group" + ] + }, + "uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c" + }, + { + "meta": { + "refs": [ + "https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf" + ] + }, + "value": "Dust Storm", + "uuid": "9e71024e-817f-45b0-92a0-d886c30bc929" + }, + { + "value": "Karma Panda", + "description": "Adversary targeting dissident groups in China and its surroundings.", + "meta": { + "country": "CN", + "refs": [ + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "uuid": "06e659ff-ece8-4e6c-a110-d9692ac6d8ee" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "temp.bottle" + ] + }, + "value": "Keyhole Panda", + "uuid": "ad022538-b457-4839-8ebd-3fdcc807a820" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] + }, + "value": "Wet Panda", + "uuid": "ba8973b2-fd97-4aa7-9307-ea4838d96428" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ] + }, + "value": "Foxy Panda", + "description": "Adversary group targeting telecommunication and technology organizations.", + "uuid": "41c15f08-a646-49f7-a644-1bebbf7a4dcd" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] + }, + "value": "Predator Panda", + "uuid": "1969f622-d64a-4436-9a34-4c47fcb2535f" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ] + }, + "value": "Union Panda", + "uuid": "7195b51f-500e-4034-a851-bf34a2728dc8" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] + }, + "value": "Spicy Panda", + "uuid": "4959652d-72fa-46e4-be20-4ec686409bfb" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ] + }, + "value": "Eloquent Panda", + "uuid": "432b0304-768f-4fb9-9762-e745ef524ec7" + }, + { + "meta": { + "synonyms": [ + "LadyBoyle" + ] + }, + "value": "Dizzy Panda", + "uuid": "8a8f39df-74b3-4946-ab64-f84968bababe" + }, + { + "meta": { + "synonyms": [ + "PLA Unit 61486", + "APT 2", + "Group 36", + "APT-2", + "MSUpdater", + "4HCrew", + "SULPHUR", + "TG-6952" + ], + "country": "CN", + "refs": [ + "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + ] + }, + "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'", + "value": "Putter Panda", + "uuid": "0ca45163-e223-4167-b1af-f088ed14a93d" + }, + { + "meta": { + "synonyms": [ + "Gothic Panda", + "TG-0110", + "APT 3", + "Group 6", + "UPS Team", + "APT3", + "Buckeye" + ], + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + ] + }, + "value": "UPS", + "description": "Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'", + "uuid": "d144c83e-2302-4947-9e24-856fbf7949ae" + }, + { + "meta": { + "synonyms": [ + "DUBNIUM", + "Fallout Team", + "Karba", + "Luder", + "Nemim", + "Tapaoux" + ], + "refs": [ + "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", + "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", + "https://securelist.com/blog/research/66779/the-darkhotel-apt/", + "http://drops.wooyun.org/tips/11726", + "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/" + ] + }, + "value": "DarkHotel", + "description": "Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'", + "uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d" + }, + { + "meta": { + "synonyms": [ + "Numbered Panda", + "TG-2754", + "BeeBus", + "Group 22", + "DynCalc", + "Calc Team", + "DNSCalc", + "Crimson Iron", + "APT12", + "APT 12" + ], + "country": "CN", + "refs": [ + "http://www.crowdstrike.com/blog/whois-numbered-panda/" + ] + }, + "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", + "value": "IXESHE", + "uuid": "48146604-6693-4db1-bd94-159744726514" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" + ] + }, + "value": "APT 16", + "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf" + }, + { + "meta": { + "synonyms": [ + "APT 17", + "Deputy Dog", + "Group 8", + "APT17", + "Hidden Lynx", + "Tailgater Team" + ], + "country": "CN", + "refs": [ + "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf" + ] + }, + "value": "Aurora Panda", + "description": "FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'", + "uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb" + }, + { + "meta": { + "synonyms": [ + "Dynamite Panda", + "TG-0416", + "APT 18", + "SCANDIUM", + "PLA Navy", + "APT18" + ], + "country": "CN", + "refs": [ + "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828" + ] + }, + "value": "Wekby", + "description": "Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'", + "uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c" + }, + { + "meta": { + "synonyms": [ + "Operation Tropic Trooper" + ], + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" + ] + }, + "value": "Tropic Trooper", + "description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'", + "uuid": "4fd409a9-db86-46a5-bdf2-b6c8ee397a89" + }, + { + "meta": { + "synonyms": [ + "Winnti Group", + "Tailgater Team", + "Group 72", + "Group72", + "Tailgater", + "Ragebeast", + "Blackfly", + "Lead", + "Wicked Spider", + "APT17", + "APT 17", + "Dogfish", + "Deputy Dog", + "Wicked Panda", + "Barium" + ], + "country": "CN", + "refs": [ + "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", + "http://williamshowalter.com/a-universal-windows-bootkit/", + "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp" + ] + }, + "value": "Axiom", + "description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'", + "uuid": "24110866-cb22-4c85-a7d2-0413e126694b" + }, + { + "meta": { + "synonyms": [ + "Deep Panda", + "WebMasters", + "APT 19", + "KungFu Kittens", + "Black Vine", + "Group 13", + "PinkPanther", + "Sh3llCr3w" + ], + "country": "CN", + "refs": [ + "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "description": "Adversary group targeting financial, technology, non-profit organisations.", + "value": "Shell Crew", + "uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4" + }, + { + "meta": { + "synonyms": [ + "PLA Unit 78020", + "APT 30", + "APT30", + "Override Panda", + "Camerashy", + "APT.Naikon" + ], + "country": "CN", + "refs": [ + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" + ] + }, + "value": "Naikon", + "description": "Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'", + "uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff" + }, + { + "meta": { + "synonyms": [ + "Spring Dragon", + "ST Group" + ], + "country": "CN", + "refs": [ + "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", + "https://securelist.com/spring-dragon-updated-activity/79067/" + ] + }, + "value": "Lotus Blossom", + "uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d" + }, + { + "meta": { + "synonyms": [ + "Elise" + ], + "country": "CN", + "refs": [ + "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" + ] + }, + "value": "Lotus Panda", + "uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8" + }, + { + "meta": { + "synonyms": [ + "Black Vine", + "TEMP.Avengers" + ], + "country": "CN", + "refs": [ + "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" + ] + }, + "value": "Hurricane Panda", + "uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb" + }, + { + "meta": { + "synonyms": [ + "TG-3390", + "APT 27", + "TEMP.Hippo", + "Group 35", + "Bronze Union", + "ZipToken", + "HIPPOTeam", + "APT27", + "Operation Iron Tiger", + "Iron Tiger APT" + ], + "country": "CN", + "refs": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", + "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", + "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/" + ] + }, + "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", + "value": "Emissary Panda", + "uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32" + }, + { + "meta": { + "synonyms": [ + "APT10", + "APT 10", + "menuPass", + "happyyongzi", + "POTASSIUM", + "DustStorm", + "Red Apollo", + "CVNX" + ], + "country": "CN", + "refs": [ + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" + ] + }, + "value": "Stone Panda", + "uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c" + }, + { + "meta": { + "synonyms": [ + "APT 9", + "Flowerlady/Flowershow", + "Flowerlady", + "Flowershow" + ], + "country": "CN", + "refs": [ + "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/" + ] + }, + "value": "Nightshade Panda", + "uuid": "401dd2c9-bd4f-4814-bb87-701e38f18d45" + }, + { + "meta": { + "synonyms": [ + "Goblin Panda", + "Cycldek" + ], + "country": "CN", + "refs": [ + "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/" + ] + }, + "value": "Hellsing", + "uuid": "af482dde-9e47-48d5-9cb2-cf8f6d6303d3" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://kc.mcafee.com/corporate/index?page=content&id=KB71150" + ] + }, + "value": "Night Dragon", + "uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d" + }, + { + "meta": { + "synonyms": [ + "Vixen Panda", + "Ke3Chang", + "GREF", + "Playful Dragon", + "APT 15", + "Metushy", + "Lurid", + "Social Network Team" + ], + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", + "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/" + ] + }, + "value": "Mirage", + "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "APT14", + "APT 14", + "QAZTeam", + "ALUMINUM" + ], + "refs": [ + "http://www.crowdstrike.com/blog/whois-anchor-panda/" + ], + "motive": "Espionage" + }, + "value": "Anchor Panda", + "description": "PLA Navy", + "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "APT 21" + ], + "refs": [ + "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/" + ] + }, + "value": "NetTraveler", + "uuid": "b80f4788-ccb2-466d-ae16-b397159d907e" + }, + { + "meta": { + "synonyms": [ + "IceFog", + "Dagger Panda" + ], + "country": "CN", + "refs": [ + "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/", + "https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/" + ] + }, + "value": "Ice Fog", + "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well.", + "uuid": "32c534b9-abec-4823-b223-a810f897b47b" + }, + { + "meta": { + "synonyms": [ + "PittyTiger", + "MANGANESE" + ], + "country": "CN", + "refs": [ + "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2" + ] + }, + "value": "Pitty Panda", + "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials", + "uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189" + }, + { + "value": "Roaming Tiger", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" + ] + }, + "uuid": "1fb177c1-472a-4147-b7c4-b5269b11703d" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "Sneaky Panda" + ] + }, + "value": "Beijing Group", + "uuid": "da754aeb-a86d-4874-b388-d1d2028a56be" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "Shrouded Crossbow" + ] + }, + "value": "Radio Panda", + "uuid": "c92d7d31-cfd9-4309-b6c4-b7eb1e85fa7e" + }, + { + "value": "APT.3102", + "meta": { + "country": "CN", + "refs": [ + "http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/" + ] + }, + "uuid": "f33fd440-93ee-41e5-974a-be9343e18cdf" + }, + { + "meta": { + "synonyms": [ + "PLA Navy", + "APT4", + "APT 4", + "Wisp Team", + "Getkys", + "SykipotGroup", + "Wkysol" + ], + "country": "CN", + "refs": [ + "http://www.crowdstrike.com/blog/whois-samurai-panda/" + ] + }, + "value": "Samurai Panda", + "uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7" + }, + { + "meta": { + "country": "CN" + }, + "value": "Impersonating Panda", + "uuid": "b56ecbda-6b2a-4aa9-b592-d9a0bc810ec1" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/" + ], + "synonyms": [ + "APT20", + "APT 20", + "APT8", + "APT 8", + "TH3Bug" + ] + }, + "value": "Violin Panda", + "uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "description": "A group targeting dissident groups in China and at the boundaries.", + "value": "Toxic Panda", + "uuid": "1514546d-f6ea-4af3-bbea-24d6fd9e6761" + }, + { + "meta": { + "synonyms": [ + "Admin338", + "Team338", + "MAGNESIUM", + "admin@338" + ], + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" + ] + }, + "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.", + "value": "Temper Panda", + "uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india", + "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" + ], + "synonyms": [ + "APT23", + "KeyBoy" + ] + }, + "value": "Pirate Panda", + "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "SaffronRose", + "Saffron Rose", + "AjaxSecurityTeam", + "Ajax Security Team", + "Group 26" + ], + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf", + "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" + ] + }, + "value": "Flying Kitten", + "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.", + "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "ITSecTeam", + "Threat Group 2889", + "TG-2889", + "Ghambar" + ], + "refs": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" + ] + }, + "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit\u2122 (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.", + "value": "Cutting Kitten", + "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Newscaster", + "Parastoo", + "iKittens", + "Group 83", + "Newsbeef" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Operation_Newscaster", + "https://iranthreats.github.io/resources/macdownloader-macos-malware/", + "https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/", + "https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/", + "https://cryptome.org/2012/11/parastoo-hacks-iaea.htm", + "https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf", + "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/", + "https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf", + "https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks" + ] + }, + "value": "Charming Kitten", + "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.", + "uuid": "f98bac6b-12fd-4cad-be84-c84666932232" + }, + { + "meta": { + "country": "IR", + "synonyms": [], + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + ] + }, + "description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.", + "value": "APT33", + "uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Group 42" + ], + "refs": [ + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" + ] + }, + "description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", + "value": "Magic Kitten", + "uuid": "2e77511d-f72f-409e-9b64-e2a15efe9bf4" + }, + { + "meta": { + "synonyms": [ + "TEMP.Beanie", + "Operation Woolen Goldfish", + "Thamar Reservoir", + "Timberworm" + ], + "country": "IR", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", + "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", + "http://www.clearskysec.com/thamar-reservoir/", + "https://citizenlab.org/2015/08/iran_two_factor_phishing/", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", + "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://en.wikipedia.org/wiki/Rocket_Kitten" + ] + }, + "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", + "value": "Rocket Kitten", + "uuid": "f873db71-3d53-41d5-b141-530675ade27a" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Operation Cleaver", + "Tarh Andishan", + "Alibaba", + "2889", + "TG-2889", + "Cobalt Gypsy", + "Ghambar", + "Cutting Kitten" + ], + "refs": [ + "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", + "https://www.secureworks.com/research/the-curious-case-of-mia-ash", + "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" + ] + }, + "value": "Cleaver", + "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies.", + "uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810" + }, + { + "meta": { + "country": "IR" + }, + "value": "Sands Casino", + "uuid": "1de1a64e-ea14-4e79-9e41-6958bdb6c0ff" + }, + { + "meta": { + "country": "TN", + "synonyms": [ + "FallagaTeam" + ], + "motive": "Hacktivism-Nationalist" + }, + "value": "Rebel Jackal", + "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.", + "uuid": "29af2812-f7fb-4edb-8cc4-86d0d9e3644b" + }, + { + "meta": { + "country": "AE", + "synonyms": [ + "Vikingdom" + ] + }, + "value": "Viking Jackal", + "uuid": "7f99ba32-421c-4905-9deb-006e8eda40c1" + }, + { + "meta": { + "synonyms": [ + "APT 28", + "APT28", + "Pawn Storm", + "Fancy Bear", + "Sednit", + "TsarTeam", + "TG-4127", + "Group-4127", + "STRONTIUM", + "TAG_0700", + "Swallowtail", + "IRON TWILIGHT", + "Group 74" + ], + "country": "RU", + "refs": [ + "https://en.wikipedia.org/wiki/Sofacy_Group", + "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/" + ] + }, + "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", + "value": "Sofacy", + "uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754" + }, + { + "meta": { + "synonyms": [ + "Dukes", + "Group 100", + "Cozy Duke", + "CozyDuke", + "EuroAPT", + "CozyBear", + "CozyCar", + "Cozer", + "Office Monkeys", + "OfficeMonkeys", + "APT29", + "Cozy Bear", + "The Dukes", + "Minidionis", + "SeaDuke", + "Hammer Toss" + ], + "country": "RU", + "refs": [ + "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", + "https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", + "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" + ] + }, + "value": "APT 29", + "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering '", + "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a" + }, + { + "meta": { + "synonyms": [ + "Turla", + "Snake", + "Venomous Bear", + "Group 88", + "Waterbug", + "WRAITH", + "Turla Team", + "Uroburos", + "Pfinet", + "TAG_0530", + "KRYPTON", + "Hippo Team" + ], + "refs": [ + "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", + "https://www.circl.lu/pub/tr-25/", + "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", + "https://securelist.com/blog/research/67962/the-penquin-turla-2/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" + ], + "country": "RU" + }, + "value": "Turla Group", + "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O\u2019 Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", + "uuid": "fa80877c-f509-4daf-8b62-20aba1635f68" + }, + { + "meta": { + "synonyms": [ + "Dragonfly", + "Crouching Yeti", + "Group 24", + "Havex", + "CrouchingYeti", + "Koala Team" + ], + "country": "RU", + "refs": [ + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", + "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", + "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/" + ] + }, + "description": "A Russian group that collects intelligence on the energy industry.", + "value": "Energetic Bear", + "uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee" + }, + { + "meta": { + "synonyms": [ + "Sandworm Team", + "Black Energy", + "BlackEnergy", + "Quedagh", + "Voodoo Bear", + "TEMP.Noble" + ], + "country": "RU", + "refs": [ + "http://www.isightpartners.com/2014/10/cve-2014-4114/", + "http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/", + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-163A", + "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid" + ] + }, + "value": "Sandworm", + "uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35" + }, + { + "meta": { + "country": "RU", + "refs": [ + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" + ], + "synonyms": [ + "Sandworm" + ] + }, + "value": "TeleBots", + "description": "We will refer to the gang behind the malware as TeleBots. However it\u2019s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.", + "uuid": "b47250ec-2094-4d06-b658-11456e05fe89" + }, + { + "meta": { + "synonyms": [ + "Carbanak", + "Carbon Spider", + "FIN7" + ], + "country": "RU", + "refs": [ + "https://en.wikipedia.org/wiki/Carbanak", + "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", + "http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", + "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns" + ], + "motive": "Cybercrime" + }, + "description": "Groups targeting financial organizations or people with significant financial assets.", + "value": "Anunak", + "uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb" + }, + { + "meta": { + "synonyms": [ + "TeamSpy", + "Team Bear", + "Berserk Bear", + "Anger Bear" + ], + "country": "RU", + "refs": [ + "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/" + ] + }, + "value": "TeamSpy Crew", + "uuid": "82c1c7fa-c67b-4be6-9be8-8aa400ef2445" + }, + { + "meta": { + "country": "RU", + "refs": [ + "http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/" + ] + }, + "value": "BuhTrap", + "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb" + }, + { + "meta": { + "country": "RU" + }, + "value": "Berserk Bear", + "uuid": "90ef600f-5198-44a9-a2c6-de4b4d9d8624" + }, + { + "meta": { + "country": "RO", + "synonyms": [ + "FIN4" + ] + }, + "value": "Wolf Spider", + "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57" + }, + { + "meta": { + "country": "RU" + }, + "value": "Boulder Bear", + "description": "First observed activity in December 2013.", + "uuid": "85b40169-3d1c-491b-9fbf-877ed57f32e0" + }, + { + "meta": { + "country": "RU" + }, + "value": "Shark Spider", + "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.", + "uuid": "7dd7a8df-9012-4d14-977f-b3f9f71266b4" + }, + { + "meta": { + "country": "RU", + "refs": [ + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Union Spider", + "description": "Adversary targeting manufacturing and industrial organizations.", + "uuid": "db774b7d-a0ee-4375-b24e-fd278f5ab2fd" + }, + { + "meta": { + "country": "KP", + "synonyms": [ + "OperationTroy", + "Guardian of Peace", + "GOP", + "WHOis Team" + ], + "refs": [ + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Silent Chollima", + "uuid": "245c8dde-ed42-4c49-b48b-634e3e21bdd7" + }, + { + "meta": { + "country": "KP", + "synonyms": [ + "Operation DarkSeoul", + "Dark Seoul", + "Hidden Cobra", + "Hastati Group", + "Andariel", + "Unit 121", + "Bureau 121", + "NewRomanic Cyber Army Team", + "Bluenoroff" + ], + "refs": [ + "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://securelist.com/lazarus-under-the-hood/77908/", + "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf", + "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", + "https://www.us-cert.gov/ncas/alerts/TA17-318A", + "https://www.us-cert.gov/ncas/alerts/TA17-318B" + ] + }, + "value": "Lazarus Group", + "description": "Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.", + "uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376" + }, + { + "meta": { + "synonyms": [ + "Appin", + "OperationHangover" + ], + "country": "IN", + "refs": [ + "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" + ] + }, + "value": "Viceroy Tiger", + "uuid": "e2b87f81-a6a1-4524-b03f-193c3191d239" + }, + { + "meta": { + "synonyms": [ + "DD4BC", + "Ambiorx" + ], + "country": "US" + }, + "value": "Pizzo Spider", + "uuid": "dd9806a9-a600-48f8-81fb-07f0f1b7690d" + }, + { + "meta": { + "synonyms": [ + "TunisianCyberArmy" + ], + "country": "TN", + "refs": [ + "https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" + ] + }, + "value": "Corsair Jackal", + "uuid": "59d63dd6-f46f-4334-ad15-30d2e1ee0623" + }, + { + "value": "SNOWGLOBE", + "meta": { + "country": "FR", + "refs": [ + "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/", + "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france", + "http://www.cyphort.com/evilbunny-malware-instrumented-lua/", + "http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", + "https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html" + ], + "synonyms": [ + "Animal Farm" + ] + }, + "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.", + "uuid": "3b8e7462-c83f-4e7d-9511-2fe430d80aab" + }, + { + "meta": { + "synonyms": [ + "SyrianElectronicArmy", + "SEA" + ], + "country": "SY", + "refs": [ + "https://en.wikipedia.org/wiki/Syrian_Electronic_Army" + ] + }, + "description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear", + "value": "Deadeye Jackal", + "uuid": "4265d44e-8372-4ed0-b428-b331a5443d7d" + }, + { + "meta": { + "country": "PK", + "synonyms": [ + "C-Major" + ], + "refs": [ + "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf" + ] + }, + "value": "Operation C-Major", + "description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro.", + "uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905" + }, + { + "meta": { + "refs": [ + "https://citizenlab.org/2016/05/stealth-falcon/" + ], + "synonyms": [ + "FruityArmor" + ], + "country": "AE" + }, + "value": "Stealth Falcon", + "description": "Group targeting Emirati journalists, activists, and dissidents.", + "uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0" + }, + { + "meta": { + "synonyms": [ + "Operation Daybreak", + "Operation Erebus" + ], + "refs": [ + "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/" + ] + }, + "value": "ScarCruft", + "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits \u2014 two for Adobe Flash and one for Microsoft Internet Explorer.", + "uuid": "bb446dc2-4fee-4212-8b2c-3ffa2917e338" + }, + { + "meta": { + "refs": [ + "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" + ], + "synonyms": [ + "Skipper", + "Popeye" + ], + "country": "RU" + }, + "value": "Pacifier APT", + "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail.", + "uuid": "32db3cc1-bb79-4b08-a7a4-747a37221afa" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" + ] + }, + "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder", + "value": "HummingBad", + "uuid": "12ab5c28-5f38-4a2f-bd40-40e9c500f4ac" + }, + { + "meta": { + "synonyms": [ + "Chinastrats", + "Patchwork", + "Monsoon", + "Sarit" + ], + "refs": [ + "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", + "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", + "https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign", + "https://www.cymmetria.com/patchwork-targeted-attack/" + ] + }, + "description": "Dropping Elephant (also known as \u201cChinastrats\u201d and \u201cPatchwork\u201c) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China\u2019s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", + "value": "Dropping Elephant", + "uuid": "18d473a5-831b-47a5-97a1-a32156299825" + }, + { + "meta": { + "refs": [ + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ] + }, + "description": "Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.", + "value": "Operation Transparent Tribe", + "uuid": "0b36d80d-5966-4c91-945b-1ac85552aa7b" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://attack.mitre.org/wiki/Groups", + "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" + ] + }, + "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", + "value": "Scarlet Mimic", + "uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e" + }, + { + "meta": { + "refs": [ + "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/", + "https://attack.mitre.org/wiki/Groups" + ], + "country": "BR" + }, + "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", + "value": "Poseidon Group", + "uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d" + }, + { + "meta": { + "synonyms": [ + "Moafee" + ], + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", + "https://attack.mitre.org/wiki/Groups", + "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", + "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", + "http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" + ], + "country": "CN" + }, + "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", + "value": "DragonOK", + "uuid": "a9b44750-992c-4743-8922-129880d277ea" + }, + { + "meta": { + "synonyms": [ + "TG-3390", + "Emissary Panda" + ], + "refs": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", + "https://attack.mitre.org" + ], + "country": "CN" + }, + "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", + "value": "Threat Group-3390", + "uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045" + }, + { + "meta": { + "synonyms": [ + "Strider", + "Sauron" + ], + "refs": [ + "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/" + ] + }, + "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to \u2018Sauron\u2019 in the Lua scripts.", + "value": "ProjectSauron", + "uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7" + }, + { + "meta": { + "refs": [ + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://attack.mitre.org/wiki/Group/G0013" + ], + "synonyms": [ + "APT30" + ], + "country": "CN" + }, + "value": "APT 30", + "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.", + "uuid": "f26144c5-8593-4e78-831a-11f6452d809b" + }, + { + "meta": { + "country": "CN" + }, + "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns", + "value": "TA530", + "uuid": "4b79d1f6-8333-44b6-ac32-d1ea7e47e77f" + }, + { + "meta": { + "refs": [ + "https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/" + ], + "country": "RU" + }, + "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", + "value": "GCMAN", + "uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0" + }, + { + "meta": { + "refs": [ + "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", + "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" + ], + "country": "CN" + }, + "description": "Suckfly is a China-based threat group that has been active since at least 2014", + "value": "Suckfly", + "uuid": "5abb12e7-5066-4f84-a109-49a037205c76" + }, + { + "meta": { + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" + ] + }, + "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.", + "value": "FIN6", + "uuid": "647894f6-1723-4cba-aba4-0ef0966d5302" + }, + { + "meta": { + "country": "LY" + }, + "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", + "value": "Libyan Scorpions", + "uuid": "815cbe98-e157-4078-9caa-c5a25dd64731" + }, + { + "meta": { + "synonyms": [ + "CorporacaoXRat", + "CorporationXRat" + ], + "refs": [ + "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" + ] + }, + "value": "TeamXRat", + "uuid": "43ec65d1-a334-4c44-9a44-0fd21f27249d" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "http://www.clearskysec.com/oilrig/", + "https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability%20", + "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/", + "https://researchcenter.paloaltonetworks.com/2017/12/unit42-introducing-the-adversary-playbook-first-up-oilrig/", + "https://pan-unit42.github.io/playbook_viewer/", + "https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json" + ], + "country": "IR", + "synonyms": [ + "Twisted Kitten", + "Cobalt Gypsy" + ] + }, + "value": "OilRig", + "description": "OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. \r\n\r\nOilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:\r\n\r\n-Organized evasion testing used the during development of their tools.\r\n-Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.\r\n-Custom web-shells and backdoors used to persistently access servers.\r\n\r\nOilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.", + "uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba" + }, + { + "meta": { + "refs": [ + "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" + ] + }, + "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", + "value": "Volatile Cedar", + "uuid": "cf421ce6-ddfe-419a-bc65-6a9fc953232a" + }, + { + "meta": { + "synonyms": [ + "Reuse team", + "Dancing Salome" + ] + }, + "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.", + "value": "Malware reusers", + "uuid": "3d5192f2-f235-46fd-aa68-dd00cc17d632" + }, + { + "value": "TERBIUM", + "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" + ] + }, + "uuid": "46670c51-fea4-45d6-bdd4-62e85a5c7404" + }, + { + "value": "Molerats", + "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called \u201cGaza Hackers Team.\u201d We refer to this campaign as \u201cMolerats.\u201d", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", + "http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks" + ], + "synonyms": [ + "Gaza Hackers Team", + "Gaza cybergang", + "Operation Molerats", + "Extreme Jackal", + "Moonlight" + ] + }, + "uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde" + }, + { + "value": "PROMETHIUM", + "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features\u2014this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", + "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users" + ], + "synonyms": [ + "StrongPity" + ], + "country": "TR" + }, + "uuid": "43894e2a-174e-4931-94a8-2296afe8f650" + }, + { + "value": "NEODYMIUM", + "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor\u2019s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + ] + }, + "uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb" + }, + { + "value": "Packrat", + "description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.", + "meta": { + "refs": [ + "https://citizenlab.org/2015/12/packrat-report/" + ] + }, + "uuid": "fe344665-d153-4d31-a32a-1509efde1ca7" + }, + { + "value": "Cadelle", + "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it\u2019s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + ], + "country": "IR" + }, + "uuid": "03f13462-003c-4296-8784-bccea16710a9" + }, + { + "value": "Chafer", + "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it\u2019s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + ], + "country": "IR" + }, + "uuid": "ddd95696-3d9a-4d0c-beec-a34d396182f3" + }, + { + "value": "PassCV", + "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term \u2018PassCV\u2019 to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We\u2019d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they\u2019ve begun development on. ", + "meta": { + "refs": [ + "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" + ], + "country": "CN" + }, + "uuid": "ceae0bc4-eb5f-4184-b949-a6f7d6f0f965" + }, + { + "value": "Sath-\u0131 M\u00fcdafaa", + "description": "A Turkish hacking group, Sath-\u0131 M\u00fcdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.", + "meta": { + "country": "TR", + "motive": "Hacktivists-Nationalists" + }, + "uuid": "a03e2b4b-617f-4d28-ac4b-9943f792aa22" + }, + { + "value": "Aslan Neferler Tim", + "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group\u2019s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey\u2019s policies or leadership, and purports to act in defense of Islam", + "meta": { + "country": "TR", + "synonyms": [ + "Lion Soldiers Team", + "Phantom Turk" + ], + "motive": "Hacktivists-Nationalists" + }, + "uuid": "23410d3f-c359-422d-9a4e-45f8fdf0c84a" + }, + { + "value": "Ayy\u0131ld\u0131z Tim", + "description": "Ayy\u0131ld\u0131z (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.", + "meta": { + "country": "TR", + "synonyms": [ + "Crescent and Star" + ], + "motive": "Hacktivists-Nationalists" + }, + "uuid": "ab1771de-25bb-4688-b132-eabb5d6452a1" + }, + { + "value": "TurkHackTeam", + "description": "Founded in 2004, Turkhackteam is one of Turkey\u2019s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam\u2019s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ", + "meta": { + "country": "TR", + "synonyms": [ + "Turk Hack Team" + ], + "motive": "Hacktivists-Nationalists" + }, + "uuid": "7ae74dc6-ded3-4873-a803-abb4160d10c0" + }, + { + "value": "Equation Group", + "description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame", + "meta": { + "country": "US", + "refs": [ + "https://en.wikipedia.org/wiki/Equation_Group" + ], + "synonyms": [ + "Tilded Team", + "Lamberts", + "EQGRP" + ] + }, + "uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840" + }, + { + "value": "Greenbug", + "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" + ], + "country": "IR" + }, + "uuid": "47204403-34c9-4d25-a006-296a0939d1a2" + }, + { + "value": "Gamaredon Group", + "description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution" + ] + }, + "uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "Zhenbao", + "TEMP.Zhenbao" + ], + "refs": [ + "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242" + ] + }, + "value": "Hammer Panda", + "description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia.", + "uuid": "1f2762d9-a4b5-4457-ac51-00be05be9e23" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Operation Mermaid" + ], + "refs": [ + "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", + "https://iranthreats.github.io/", + "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" + ] + }, + "value": "Infy", + "description": "Infy is a group of suspected Iranian origin.", + "uuid": "1671be1b-c844-48f5-84c8-54ac4fe4d71e" + }, + { + "meta": { + "country": "IR", + "refs": [ + "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", + "https://iranthreats.github.io/" + ] + }, + "value": "Sima", + "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora.", + "uuid": "80f9184d-1df3-4ad0-a452-cdb90fe57216" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "Cloudy Omega" + ], + "refs": [ + "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/", + "http://www.kaspersky.com/about/news/virus/2015/Blue-Termite-A-Sophisticated-Cyber-Espionage-Campaign-is-After-High-Profile-Japanese-Targets" + ] + }, + "value": "Blue Termite", + "description": "Blue Termite is a group of suspected Chinese origin active in Japan.", + "uuid": "a250af72-f66c-4d02-9f36-ab764ce9fe85" + }, + { + "meta": { + "country": "UA", + "refs": [ + "http://www.welivesecurity.com/2016/05/18/groundbait" + ] + }, + "value": "Groundbait", + "description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People\u2019s Republics.", + "uuid": "8ed5e3f0-ed30-4eb8-bbee-4e221bd76d73" + }, + { + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", + "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/" + ], + "country": "US" + }, + "value": "Longhorn", + "description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.", + "uuid": "2f3311cd-8476-4be7-9005-ead920afc781" + }, + { + "meta": { + "refs": [ + "https://www.f-secure.com/documents/996508/1030745/callisto-group" + ] + }, + "value": "Callisto", + "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", + "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f" + }, + { + "meta": { + "synonyms": [ + "OceanLotus Group", + "Ocean Lotus", + "Cobalt Kitty", + "APT-C-00", + "SeaLotus", + "APT-32", + "APT 32" + ], + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/", + "https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/", + "https://www.brighttalk.com/webcast/10703/261205" + ] + }, + "value": "APT32", + "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.", + "uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7" + }, + { + "value": "SilverTerrier", + "description": "As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available. ", + "meta": { + "country": "NG", + "refs": [ + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf" + ] + }, + "uuid": "acbfd9e4-f78c-4ae0-9b52-c35ed679e546" + }, + { + "value": "WildNeutron", + "description": "A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks.", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks", + "https://securelist.com/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/", + "https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/" + ], + "synonyms": [ + "Butterfly", + "Morpho", + "Sphinx Moth" + ] + }, + "uuid": "e7df3572-0c96-4968-8e5a-803ef4219762" + }, + { + "value": "PLATINUM", + "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group\u2019s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.", + "meta": { + "refs": [ + "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", + "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/" + ], + "synonyms": [ + "TwoForOne" + ] + }, + "uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a" + }, + { + "value": "ELECTRUM", + "description": "Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comprehensive report and this industry report will not get into sensitive technical details but instead focus on information needed for defense and impact awareness.", + "meta": { + "refs": [ + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + ], + "synonyms": [ + "Sandworm" + ] + }, + "uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf", + "http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf" + ] + }, + "description": "FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.", + "value": "FIN8", + "uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73" + }, + { + "value": "El Machete", + "description": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We\u2019ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.", + "meta": { + "refs": [ + "https://securelist.com/blog/research/66108/el-machete/", + "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html" + ] + }, + "uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3" + }, + { + "value": "Cobalt", + "description": "A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.", + "meta": { + "refs": [ + "https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/" + ], + "synonyms": [ + "Cobalt group", + "Cobalt gang" + ] + }, + "uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter" + ] + }, + "value": "TA459", + "uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314" + }, + { + "meta": { + "refs": [ + "https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter" + ], + "country": "RU" + }, + "value": "Cyber Berkut", + "uuid": "4d9f68ba-cb2b-40bf-ba4b-6a5a9f2e1cf8" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==", + "https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/" + ] + }, + "value": "Tonto Team", + "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26" + }, + { + "value": "Danti", + "meta": { + "refs": [ + "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" + ] + }, + "uuid": "fb745fe1-5478-4d47-ad3d-7389fa4a6f77" + }, + { + "value": "APT5", + "meta": { + "refs": [ + "https://www.fireeye.com/current-threats/apt-groups.html" + ] + }, + "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "APT22" + ], + "refs": [ + "http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild" + ] + }, + "value": "APT 22", + "uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842" + }, + { + "meta": { + "synonyms": [ + "Bronze Butler" + ], + "country": "CN", + "refs": [ + "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan", + "https://www.secureworks.jp/resources/rp-bronze-butler", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", + "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" + ] + }, + "value": "Tick", + "uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8" + }, + { + "meta": { + "synonyms": [ + "APT26", + "Hippo Team", + "JerseyMikes" + ], + "country": "CN" + }, + "value": "APT 26", + "uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] + }, + "value": "Sabre Panda", + "uuid": "67adfa07-869f-4052-9d56-b88a51489902" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?" + ] + }, + "value": "Big Panda", + "uuid": "06e89270-ca1b-4cd4-85f3-940d23c76766" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ] + }, + "value": "Poisonous Panda", + "uuid": "5bc7382d-ddc6-46d3-96f5-1dbdadbd601c" + }, + { + "value": "Ghost Jackal", + "meta": { + "refs": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "uuid": "7ad01582-d6a7-4a40-a0ee-7727e268cd15" + }, + { + "meta": { + "country": "KP", + "refs": [ + "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" + ] + }, + "value": "TEMP.Hermit", + "uuid": "73c636ae-e55c-4167-bf40-315789698adb" + }, + { + "meta": { + "synonyms": [ + "Superman" + ], + "country": "CN", + "refs": [ + "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", + "https://www.threatconnect.com/china-superman-apt/" + ] + }, + "value": "Mofang", + "uuid": "999f3008-2b2f-467d-ab4d-c5a2fd80b344" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Slayer Kitten" + ], + "refs": [ + "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf", + "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/", + "http://www.clearskysec.com/copykitten-jpost/", + "http://www.clearskysec.com/tulip/" + ] + }, + "value": "CopyKittens", + "uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae" + }, + { + "value": "EvilPost", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" + ] + }, + "uuid": "9035bfbf-a73f-4948-9df2-bd893e9cafef" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" + ] + }, + "value": "SVCMONDR", + "description": "The referenced link links this group to Temper Panda", + "uuid": "70b80bcc-58e3-4a09-a3bf-98c0412bb7d3" + }, + { + "value": "Test Panda", + "meta": { + "country": "CN", + "refs": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ] + }, + "uuid": "cd6ac640-9ae9-4aa9-89cd-89b95be1a3ab" + }, + { + "meta": { + "country": "IR", + "refs": [ + "https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/", + "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/" + ] + }, + "value": "Madi", + "uuid": "d5dacda0-12c2-4e80-bdf2-1c5019ec40e2" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ] + }, + "value": "Electric Panda", + "uuid": "69059ec9-45c9-4961-a07e-6b2f2228f0ce" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "PLA Navy", + "Sykipot" + ], + "refs": [ + "https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments", + "http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", + "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919" + ] + }, + "value": "Maverick Panda", + "uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b" + }, + { + "meta": { + "country": "KP", + "refs": [ + "http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/" + ] + }, + "value": "Kimsuki", + "uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3" + }, + { + "value": "Snake Wine", + "meta": { + "refs": [ + "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" + ] + }, + "uuid": "7b6ba207-94de-4f94-bc7f-52cd0dafade5" + }, + { + "value": "Careto", + "meta": { + "refs": [ + "https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/" + ], + "synonyms": [ + "The Mask" + ] + }, + "uuid": "069ba781-b2d9-4403-9d9d-c599f5e0181d" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ] + }, + "value": "Gibberish Panda", + "uuid": "b07cf296-7ab9-4b85-a07e-421607c212b0" + }, + { + "meta": { + "country": "KP", + "refs": [ + "http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml" + ] + }, + "value": "OnionDog", + "uuid": "5898e11e-a023-464d-975c-b36fb1639e69" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Group 41" + ], + "refs": [ + "http://www.crowdstrike.com/blog/whois-clever-kitten/" + ] + }, + "value": "Clever Kitten", + "uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be" + }, + { + "meta": { + "refs": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Andromeda Spider", + "uuid": "e85ab78c-5e86-403c-b444-9cdcc167fb77" + }, + { + "value": "Cyber Caliphate Army", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division", + "https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697" + ], + "synonyms": [ + "Islamic State Hacking Division", + "CCA", + "United Cyber Caliphate", + "UUC" + ] + }, + "uuid": "76f6ad4e-2ff3-4ccb-b81d-18162f290af0" + }, + { + "meta": { + "country": "RU", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] + }, + "value": "Magnetic Spider", + "uuid": "430ba885-cd24-492e-804c-815176ed9b1e" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf" + ] + }, + "value": "Group 27", + "uuid": "73e4728a-955e-426a-b144-8cb95131f2ca" + }, + { + "meta": { + "refs": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Singing Spider", + "uuid": "769bf551-ff39-4f84-b7f2-654a28df1e50" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Fraternal Jackal" + ], + "refs": [ + "http://pastebin.com/u/QassamCyberFighters", + "http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html" + ] + }, + "value": "Cyber fighters of Izz Ad-Din Al Qassam", + "uuid": "22c2b363-5d8f-4b04-96db-1b6cf4d7e8db" + }, + { + "meta": { + "synonyms": [ + "1.php Group", + "APT6" + ], + "country": "CN" + }, + "value": "APT 6", + "uuid": "1a2592a3-eab7-417c-bf2d-9c0558c2b3e7" + }, + { + "value": "AridViper", + "meta": { + "refs": [ + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf", + "http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html", + "https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/", + "https://ti.360.com/upload/report/file/APTSWXLVJ8fnjoxck.pdf", + "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/", + "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", + "https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View", + "https://www.ci-project.org/blog/2017/3/4/arid-viper", + "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", + "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" + ], + "synonyms": [ + "Desert Falcon", + "Arid Viper", + "APT-C-23" + ] + }, + "uuid": "0cfff0f4-868c-40a1-b9b4-0d153c0b33b6" + }, + { + "meta": { + "refs": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Dextorous Spider", + "uuid": "445c7b62-028b-455e-9d65-74899b7006a4" + }, + { + "value": "Unit 8200", + "meta": { + "country": "IL", + "refs": [ + "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", + "https://archive.org/details/Stuxnet" + ], + "synonyms": [ + "Duqu Group" + ] + }, + "uuid": "e9a6cbd7-ca27-4894-ae20-9d11c06fdc02" + }, + { + "meta": { + "refs": [ + "https://securelist.com/introducing-whitebear/81638/" + ], + "synonyms": [ + "Skipper Turla" + ], + "country": "RU" + }, + "value": "White Bear", + "uuid": "dc6c6cbc-9dc6-4ace-a2d2-fadefe45cce6" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] + }, + "value": "Pale Panda", + "uuid": "43992f81-fd29-4228-94e0-c3aa3e65aab7" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" + ] + }, + "value": "Mana Team", + "uuid": "110792e8-38d2-4df2-9ea3-08b60321e994" + }, + { + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" + ] + }, + "description": "Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ", + "value": "Sowbug", + "uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5" + }, + { + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" + ] + }, + "description": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call \u201cPOWERSTATS\u201d. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.", + "value": "MuddyWater", + "uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b" + }, + { + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/moneytaker-hacker-group-steals-millions-from-us-and-russian-banks/", + "https://www.group-ib.com/resources/reports/money-taker.html", + "https://www.group-ib.com/blog/moneytaker" + ] + }, + "description": "In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.", + "value": "MoneyTaker", + "uuid": "7d78ec00-dfdc-4a80-a4da-63f1ae63bd7f" + }, + { + "value": "Microcin", + "description": "We\u2019re already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago \u2013 we named it \u2018Microcin\u2019 after microini, one of the malicious components used in it.", + "meta": { + "refs": [ + "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", + "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" + ] + }, + "uuid": "0a6b31cd-54cd-4f82-9b87-aab780604632" + }, + { + "meta": { + "country": "LB", + "refs": [ + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + ] + }, + "value": "Dark Caracal", + "description": "Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information.", + "uuid": "3d449c83-4426-431a-b06a-cb4f8a0fca94" + }, + { + "value": "Nexus Zeta", + "description": "Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014\u20138361 and CVE-2017\u201317215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.", + "meta": { + "refs": [ + "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7" + ] + }, + "uuid": "8c21ce09-33c3-412c-bb55-323765e89a60" + } + ], + "name": "Threat actor", + "type": "threat-actor", + "source": "MISP Project", + "authors": [ + "Alexandre Dulaunoy", + "Florian Roth", + "Thomas Schreck", + "Timo Steffens", + "Various" + ], + "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", + "uuid": "7cdff317-a673-4474-84ec-4f1754947823", + "version": 33 +} \ No newline at end of file diff --git a/clusters/tool.json b/clusters/tool.json index 2f1abb5..782afe5 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1,3364 +1,3722 @@ { - "name": "Tool", - "type": "tool", - "source": "MISP Project", - "authors": [ - "Alexandre Dulaunoy", - "Florian Roth", - "Timo Steffens", - "Christophe Vandeplas" - ], - "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", - "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 52, - "values": [ - { - "meta": { - "type": [ - "Banking" - ], - "synonyms": [ - "Hunter", - "Zusy", - "TinyBanker" - ], - "refs": [ - "https://thehackernews.com/search/label/Zusy%20Malware", - "http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/" - ] - }, - "description": "Banking Malware", - "value": "Tinba" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "synonyms": [ - "Backdoor.FSZO-5117", - "Trojan.Heur.JP.juW@ayZZvMb", - "Trojan.Inject1.6386", - "Korplug", - "Agent.dhwf" - ], - "refs": [ - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" - ] - }, - "description": "Malware", - "value": "PlugX" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" - ] - }, - "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", - "value": "MSUpdater" - }, - { - "meta": { - "type": [ - "HackTool" - ], - "refs": [ - "https://github.com/AlessandroZ/LaZagne" - ] - }, - "description": "A password sthealing tool regularly used by attackers", - "value": "Lazagne" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "synonyms": [ - "Backdoor.Win32.PoisonIvy", - "Gen:Trojan.Heur.PT" - ], - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", - "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" - ] - }, - "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", - "value": "Poison Ivy" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" - ] - }, - "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", - "value": "SPIVY" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "synonyms": [ - "Anchor Panda" - ], - "refs": [ - "https://www.crowdstrike.com/blog/whois-anchor-panda/" - ] - }, - "value": "Torn RAT" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "synonyms": [ - "Ozone RAT", - "ozonercp" - ], - "refs": [ - "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" - ] - }, - "value": "OzoneRAT" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "synonyms": [ - "BackDoor-FBZT!52D84425CDF2", - "Trojan.Win32.Staser.ytq", - "Win32/Zegost.BW" - ], - "refs": [ - "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW" - ] - }, - "description": "ZeGhots is a RAT which was freely available and first released in 2014.", - "value": "ZeGhost" - }, - { - "meta": { - "type": [ - "dropper", - "PWS" - ], - "synonyms": [ - "Elise" - ], - "refs": [ - "http://thehackernews.com/2015/08/elise-malware-hacking.html" - ] - }, - "description": "Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", - "value": "Elise Backdoor" - }, - { - "meta": { - "type": [ - "PWS", - "reco" - ], - "synonyms": [ - "Laziok" - ], - "refs": [ - "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" - ] - }, - "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.", - "value": "Trojan.Laziok" - }, - { - "meta": { - "type": [ - "Spyware", - "AndroidOS" - ], - "synonyms": [ - "GM-Bot", - "SlemBunk", - "Bankosy", - "Acecard" - ], - "refs": [ - "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/" - ] - }, - "description": "Android-based malware", - "value": "Slempo" - }, - { - "meta": { - "type": [ - "Dropper", - "Miner", - "Spyware" - ], - "synonyms": [ - "PWOLauncher", - "PWOHTTPD", - "PWOKeyLogger", - "PWOMiner", - "PWOPyExec", - "PWOQuery" - ], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" - ] - }, - "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", - "value": "PWOBot" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" - ], - "synonyms": [ - "LostDoor RAT", - "BKDR_LODORAT" - ] - }, - "description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.", - "value": "Lost Door RAT" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf", - "https://github.com/kevthehermit/RATDecoders/blob/master/yaraRules/njRat.yar" - ], - "synonyms": [ - "Bladabindi", - "Jorik" - ] - }, - "value": "njRAT" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter", - "https://nanocore.io/" - ], - "synonyms": [ - "NanoCore", - "Nancrat", - "Zurten", - "Atros2.CKPN" - ] - }, - "value": "NanoCoreRAT" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://www.secureworks.com/research/sakula-malware-family" - ], - "synonyms": [ - "Sakurel" - ] - }, - "value": "Sakula" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html" - ] - }, - "value": "Hi-ZOR" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", - "https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf" - ], - "synonyms": [ - "TROJ_DLLSERV.BE" - ] - }, - "value": "Derusbi" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/", - "http://researchcenter.paloaltonetworks.com/2015/06/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/" - ], - "synonyms": [ - "BKDR_HGDER", - "BKDR_EVILOGE", - "BKDR_NVICM", - "Wmonder" - ] - }, - "value": "EvilGrab" - }, - { - "meta": { - "type": [ - "Dropper" - ], - "refs": [ - "https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid", - "http://telussecuritylabs.com/threats/show/TSL20120614-05" - ], - "synonyms": [ - "Naid", - "Mdmbot.E", - "AGENT.GUNZ", - "AGENT.AQUP.DROPPER", - "AGENT.BMZA", - "MCRAT.A", - "AGENT.ABQMR" - ] - }, - "value": "Trojan.Naid" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "http://www.darkreading.com/attacks-breaches/elite-chinese-cyberspy-group-behind-bit9-hack/d/d-id/1140495", - "https://securityledger.com/2013/09/apt-for-hire-symantec-outs-hidden-lynx-hacking-crew/" - ], - "synonyms": [ - "SCAR", - "KillProc.14145" - ] - }, - "description": "Backdoor.Moudoor, a customized version of Gh0st RAT", - "value": "Moudoor" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/" - ], - "synonyms": [ - "TravNet", - "Netfile" - ] - }, - "description": "APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.", - "value": "NetTraveler" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/", - "https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf" - ], - "synonyms": [ - "Etso", - "SUQ", - "Agent.ALQHI" - ] - }, - "description": "APT used As part of Operation SMN, Novetta analyzed recent versions of the Winnti malware. The samples, compiled from mid- to late 2014, exhibited minimal functional changes over the previous generations Kaspersky reported in 2013.", - "value": "Winnti" - }, - { - "meta": { - "type": [ - "HackTool" - ], - "refs": [ - "https://github.com/gentilkiwi/mimikatz", - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" - ], - "synonyms": [ - "Mikatz" - ] - }, - "description": "Ease Credential stealh and replay, A little tool to play with Windows security.", - "value": "Mimikatz" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/gnaegle/cse4990-practical3", - "https://www.securestate.com/blog/2013/02/20/apt-if-it-aint-broke" - ] - }, - "description": "Backdoor attribued to APT1", - "value": "WEBC2" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" - ], - "synonyms": [ - "Badey", - "EXL" - ] - }, - "description": "Symantec has observed Buckeye activity dating back to 2009, involving attacks on various organizations in several regions. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organization’s network in 2009. The group delivered Backdoor.Pirpi through malicious attachments or links in convincing spear-phishing emails.", - "value": "Pirpi" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/" - ] - }, - "description": "RARSTONE is a Remote Access Tool (RAT) discovered early 2013 by TrendMicro, it’s characterized by a great affinity with the other RAT know as Plug is and was used in April for phishing campaigns that followed the dramatic attack to the Boston Marathon.", - "value": "RARSTONE" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://www2.fireeye.com/WEB-2015RPTAPT30.html", - "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" - ], - "synonyms": [ - "Lecna" - ] - }, - "description": "Backspace is a Backdoor that targets the Windows platform. This malware is reportedly associated with targeted attacks against Association of Southeast Asian Nations (ASEAN) members (APT30).", - "value": "Backspace" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://kasperskycontenthub.com/securelist/files/2015/05/TheNaikonAPT-MsnMM.pdf" - ] - }, - "description": "Backdoor user by he Naikon APT group", - "value": "XSControl" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "synonyms": [ - "scout", - "norton" - ], - "refs": [ - "https://attack.mitre.org/wiki/Software/S0034", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] - }, - "description": "NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as Scout and Norton.", - "value": "Neteagle" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://blog.gdatasoftware.com/2015/01/23927-evolution-of-sophisticated-spyware-from-agent-btz-to-comrat" - ], - "synonyms": [ - "ComRat" - ] - }, - "description": "In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit.", - "value": "Agent.BTZ" - }, - { - "description": "RAT bundle with standard VNC (to avoid/limit A/V detection).", - "value": "Heseber BOT" - }, - { - "value": "Agent.dne" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - ], - "synonyms": [ - "Tavdig", - "Epic Turla", - "WorldCupSec", - "TadjMakhal" - ] - }, - "description": "Waterbug is the name given to the actors who use the malware tools Trojan.Wipbot (also known as Tavdig and Epic Turla)", - "value": "Wipbot" - }, - { - "meta": { - "type": [ - "Backdoor", - "Rootkit" - ], - "refs": [ - "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", - "https://objective-see.com/blog/blog_0x25.html#Snake" - ], - "synonyms": [ - "Snake", - "Uroburos", - "Urouros" - ] - }, - "description": "Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!", - "value": "Turla" - }, - { - "value": "Winexe" - }, - { - "description": "RAT initialy identified in 2011 and still actively used.", - "value": "Dark Comet" - }, - { - "meta": { - "synonyms": [ - "WinSpy" - ] - }, - "value": "Cadelspy" - }, - { - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" - ] - }, - "value": "CMStar" - }, - { - "meta": { - "refs": [ - "https://securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf" - ], - "synonyms": [ - "iRAT" - ] - }, - "value": "DHS2015" - }, - { - "meta": { - "refs": [ - "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf" - ], - "synonyms": [ - "Gh0stRat, GhostRat" - ] - }, - "description": "Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago.", - "value": "Gh0st Rat" - }, - { - "meta": { - "refs": [ - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf" - ], - "synonyms": [ - "FAKEM" - ] - }, - "description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages). ", - "value": "Fakem RAT" - }, - { - "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/" - ], - "synonyms": [ - "Hupigon", - "BKDR_HUPIGON" - ] - }, - "value": "MFC Huner" - }, - { - "meta": { - "refs": [ - "https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-charges-connection", - "https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/" - ] - }, - "description": "Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.", - "value": "Blackshades" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "possible_issues": "Report tells that is could be Xagent alias (Java Rat)", - "refs": [ - "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" - ], - "synonyms": [ - "webhp", - "SPLM", - "(.v2 fysbis)" - ] - }, - "description": "backdoor used by apt28 ", - "value": "CHOPSTICK" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "possible_issues": "Report tells that is could be Xagent alias (Java Rat)", - "refs": [ - "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" - ], - "synonyms": [ - "Sedreco", - "AZZY", - "ADVSTORESHELL", - "NETUI" - ] - }, - "description": "backdoor used by apt28\n\nSedreco serves as a spying backdoor; its functionalities can be extended with dynamically loaded plugins. It is made up of two distinct components: a dropper and the persistent payload installed by this dropper. We have not seen this component since April 2016.", - "value": "EVILTOSS" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" - ], - "synonyms": [ - "Sednit", - "Seduploader", - "JHUHUGIT", - "Sofacy" - ] - }, - "description": "backdoor", - "value": "GAMEFISH" - }, - { - "meta": { - "refs": [ - "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" - ], - "synonyms": [ - "Sofacy" - ] - }, - "description": "downloader - Older version of CORESHELL", - "value": "SOURFACE" - }, - { - "meta": { - "type": [ - "PWS" - ], - "refs": [ - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_sasfis.tl", - "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" - ], - "synonyms": [ - "Sasfis", - "BackDoor-FDU", - "IEChecker" - ] - }, - "description": "credential harvester", - "value": "OLDBAIT" - }, - { - "meta": { - "refs": [ - "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" - ], - "synonyms": [ - "Sofacy" - ] - }, - "description": "downloader - Newer version of SOURFACE", - "value": "CORESHELL" - }, - { - "meta": { - "synonyms": [ - "Havex" - ] - }, - "value": "Havex RAT" - }, - { - "meta": { - "refs": [ - "https://www.sentinelone.com/blog/understanding-kjw0rm-malware-we-dive-in-to-the-tv5-cyber-attack/" - ] - }, - "description": "RAT initially written in VB.", - "value": "KjW0rm" - }, - { - "value": "TinyTyphon" - }, - { - "value": "Badnews" - }, - { - "value": "LURK" - }, - { - "value": "Oldrea" - }, - { - "value": "AmmyAdmin" - }, - { - "value": "Matryoshka" - }, - { - "value": "TinyZBot" - }, - { - "value": "GHOLE" - }, - { - "value": "CWoolger" - }, - { - "value": "FireMalv" - }, - { - "meta": { - "synonyms": [ - "Prax", - "WarriorPride" - ], - "refs": [ - "https://en.wikipedia.org/wiki/Regin_(malware)" - ] - }, - "description": "Regin (also known as Prax or WarriorPride) is a sophisticated malware toolkit revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download including malware discovered at Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but that some of the earliest samples date from 2003. The name Regin is first found on the VirusTotal website on 9 March 2011.", - "value": "Regin" - }, - { - "value": "Duqu" - }, - { - "value": "Flame" - }, - { - "value": "Stuxnet" - }, - { - "value": "EquationLaser" - }, - { - "value": "EquationDrug" - }, - { - "value": "DoubleFantasy" - }, - { - "value": "TripleFantasy" - }, - { - "value": "Fanny" - }, - { - "value": "GrayFish" - }, - { - "value": "Babar" - }, - { - "value": "Bunny" - }, - { - "value": "Casper" - }, - { - "value": "NBot" - }, - { - "value": "Tafacalou" - }, - { - "value": "Tdrop" - }, - { - "value": "Troy" - }, - { - "value": "Tdrop2" - }, - { - "meta": { - "refs": [ - "http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html" - ], - "synonyms": [ - "Sensode" - ] - }, - "value": "ZXShell" - }, - { - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" - ] - }, - "value": "T9000" - }, - { - "meta": { - "refs": [ - "http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml" - ], - "synonyms": [ - "Plat1" - ] - }, - "value": "T5000" - }, - { - "meta": { - "refs": [ - "http://www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks" - ] - }, - "value": "Taidoor" - }, - { - "meta": { - "refs": [ - "http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/" - ] - }, - "value": "Swisyn" - }, - { - "meta": { - "refs": [ - "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" - ] - }, - "value": "Rekaf" - }, - { - "value": "Scieron" - }, - { - "meta": { - "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/" - ] - }, - "value": "SkeletonKey" - }, - { - "meta": { - "refs": [ - "http://labs.alienvault.com/labs/index.php/2011/another-sykipot-sample-likely-targeting-us-federal-agencies/" - ] - }, - "value": "Skyipot" - }, - { - "meta": { - "refs": [ - "http://www.threatconnect.com/news/threatconnect-enables-healthy-networking-biomed-life-sciences-industry/" - ] - }, - "value": "Spindest" - }, - { - "value": "Preshin" - }, - { - "value": "Oficla" - }, - { - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/" - ] - }, - "value": "PCClient RAT" - }, - { - "value": "Plexor" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" - ] - }, - "value": "Mongall" - }, - { - "meta": { - "refs": [ - "http://www.clearskysec.com/dustysky/" - ] - }, - "value": "NeD Worm" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" - ] - }, - "value": "NewCT" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" - ] - }, - "value": "Nflog" - }, - { - "meta": { - "refs": [ - "http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/" - ] - }, - "value": "Janicab" - }, - { - "meta": { - "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" - ], - "synonyms": [ - "Jiripbot" - ] - }, - "value": "Jripbot" - }, - { - "meta": { - "refs": [ - "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" - ] - }, - "value": "Jolob" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" - ] - }, - "value": "IsSpace" - }, - { - "value": "Emotet", - "meta": { - "refs": [ - "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/" - ], - "synonyms": [ - "Geodo" - ] - } - }, - { - "meta": { - "synonyms": [ - "Hoarde", - "Phindolp", - "BS2005" - ] - }, - "value": "Hoardy" - }, - { - "meta": { - "refs": [ - "http://www.secureworks.com/research/threats/htran/" - ] - }, - "value": "Htran" - }, - { - "meta": { - "refs": [ - "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" - ], - "synonyms": [ - "TokenControl" - ] - }, - "value": "HTTPBrowser" - }, - { - "value": "Disgufa" - }, - { - "value": "Elirks" - }, - { - "meta": { - "refs": [ - "https://www.circl.lu/pub/tr-13/" - ], - "synonyms": [ - "Ursnif" - ] - }, - "value": "Snifula" - }, - { - "meta": { - "refs": [ - "http://www.cybersquared.com/killing-with-a-borrowed-knife-chaining-core-cloud-service-profile-infrastructure-for-cyber-attacks" - ], - "synonyms": [ - "Yayih", - "mswab", - "Graftor" - ] - }, - "value": "Aumlib" - }, - { - "meta": { - "refs": [ - "http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html" - ] - }, - "value": "CTRat" - }, - { - "meta": { - "refs": [ - "http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan" - ], - "synonyms": [ - "Newsripper" - ] - }, - "value": "Emdivi" - }, - { - "meta": { - "refs": [ - "www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf" - ], - "synonyms": [ - "Exploz", - "Specfix", - "RIPTIDE" - ] - }, - "value": "Etumbot" - }, - { - "meta": { - "synonyms": [ - "Loneagent" - ] - }, - "value": "Fexel" - }, - { - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" - ] - }, - "value": "Fysbis" - }, - { - "meta": { - "refs": [ - "https://blog.bit9.com/2013/02/25/bit9-security-incident-update/" - ] - }, - "value": "Hikit" - }, - { - "meta": { - "synonyms": [ - "Tordal", - "Chanitor", - "Pony" - ], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" - ] - }, - "value": "Hancitor" - }, - { - "meta": { - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" - ] - }, - "value": "Ruckguv" - }, - { - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" - ] - }, - "value": "HerHer Trojan" - }, - { - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" - ] - }, - "value": "Helminth backdoor" - }, - { - "meta": { - "refs": [ - "http://williamshowalter.com/a-universal-windows-bootkit/" - ] - }, - "value": "HDRoot" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html" - ] - }, - "value": "IRONGATE" - }, - { - "meta": { - "refs": [ - "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" - ] - }, - "value": "ShimRAT" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "synonyms": [ - "XAgent" - ], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/", - "https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq", - "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", - "https://objective-see.com/blog/blog_0x25.html#XAgent" - ] - }, - "description": "APT28's second-stage persistent macOS backdoor. This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.\n\nXagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration. Xagent is the group’s flagship backdoor and heavily used in their operations. Early versions for Linux and Windows were seen years ago, then in 2015 an iOS version came out. One year later, an Android version was discovered and finally, in the beginning of 2017, an Xagent sample for OS X was described.", - "value": "X-Agent" - }, - { - "meta": { - "synonyms": [ - "XTunnel" - ] - }, - "value": "X-Tunnel" - }, - { - "meta": { - "refs": [ - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - ] - }, - "value": "Foozer" - }, - { - "meta": { - "refs": [ - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - ] - }, - "value": "WinIDS" - }, - { - "meta": { - "refs": [ - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - ] - }, - "value": "DownRange" - }, - { - "meta": { - "refs": [ - "https://www.arbornetworks.com/blog/asert/mad-max-dga/" - ] - }, - "value": "Mad Max" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" - ] - }, - "description": "Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims", - "value": "Crimson" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" - ] - }, - "description": "Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.", - "value": "Prikormka" - }, - { - "meta": { - "refs": [ - "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf" - ] - }, - "description": "This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations.", - "value": "NanHaiShu" - }, - { - "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/" - ] - }, - "description": "Umbreon (sharing the same name as the Pokémon) targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.", - "value": "Umbreon" - }, - { - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" - ] - }, - "description": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.", - "value": "Odinaff" - }, - { - "meta": { - "synonyms": [ - "Houdini" - ], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/" - ] - }, - "description": "Unit 42 has observed a new version of Hworm (or Houdini) being used within multiple attacks. This blog outlines technical details of this new Hworm version and documents an attack campaign making use of the backdoor. Of the samples used in this attack, the first we observed were June 2016, while as-of publication we were still seeing attacks as recently as mid-October, suggesting that this is likely an active, ongoing campaign.", - "value": "Hworm" - }, - { - "meta": { - "synonyms": [ - "Dripion" - ], - "refs": [ - "http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan" - ] - }, - "description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.", - "value": "Backdoor.Dripion" - }, - { - "meta": { - "synonyms": [ - "AlienSpy", - "Frutas", - "Unrecom", - "Sockrat", - "JSocket", - "jRat", - "Backdoor:Java/Adwind" - ], - "refs": [ - "https://securelist.com/blog/research/73660/adwind-faq/" - ] - }, - "description": "Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.", - "value": "Adwind" - }, - { - "value": "Bedep" - }, - { - "value": "Cromptui" - }, - { - "meta": { - "synonyms": [ - "Cridex" - ], - "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf" - ] - }, - "description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.", - "value": "Dridex" - }, - { - "value": "Fareit" - }, - { - "value": "Gafgyt" - }, - { - "meta": { - "synonyms": [ - "Andromeda" - ], - "refs": [ - "https://blog.gdatasoftware.com/2015/03/24274-the-andromeda-gamarue-botnet-is-on-the-rise-again" - ] - }, - "value": "Gamarue" - }, - { - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Necurs_botnet" - ] - }, - "description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.", - "value": "Necurs" - }, - { - "value": "Palevo" - }, - { - "meta": { - "synonyms": [ - "Qbot", - "Qakbot", - "PinkSlipBot" - ], - "refs": [ - "https://en.wikipedia.org/wiki/Akbot" - ] - }, - "value": "Akbot" - }, - { - "description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. ", - "value": "Upatre" - }, - { - "meta": { - "refs": [ - "https://www.sophos.com/medialibrary/PDFs/technical%20papers/sophos-vawtrak-international-crimeware-as-a-service-tpna.pdf" - ] - }, - "description": "Vawtrak is an information stealing malware family that is primarily used to gain unauthorised access to bank accounts through online banking websites.", - "value": "Vawtrak" - }, - { - "meta": { - "refs": [ - "https://github.com/adaptivethreat/Empire" - ] - }, - "description": "Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework", - "value": "Empire" - }, - { - "meta": { - "refs": [ - "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" - ] - }, - "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. ", - "value": "Explosive" - }, - { - "meta": { - "refs": [ - "https://citizenlab.org/2016/11/parliament-keyboy/", - "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india" - ] - }, - "description": "The actors used a new version of “KeyBoy,” a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data", - "value": "KeyBoy" - }, - { - "meta": { - "synonyms": [ - "W32/Seeav" - ], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ] - }, - "description": "The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware...", - "value": "Yahoyah" - }, - { - "description": "Delphi RAT used by Sofacy.", - "value": "Tartine" - }, - { - "meta": { - "synonyms": [ - "Linux/Mirai" - ], - "refs": [ - "https://en.wikipedia.org/wiki/Mirai_(malware)" - ] - }, - "description": "Mirai (Japanese for \"the future\") is malware that turns computer systems running Linux into remotely controlled \"bots\", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH and the October 2016 Dyn cyberattack.", - "value": "Mirai" - }, - { - "value": "Masuta", - "description": "IoT malware based on Mirai but slightly improved.", - "meta": { - "refs": [ - "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7" - ], - "synonyms": [ - "PureMasuta" - ] - } - }, - { - "value": "BASHLITE" - }, - { - "meta": { - "refs": [ - "https://www.virusbulletin.com/conference/vb2014/abstracts/back-blackenergy-2014-targeted-attacks-ukraine-and-poland/" - ] - }, - "description": "BlackEnergy is a trojan which has undergone significant functional changes since it was first publicly analysed by Arbor Networks in 2007. It has evolved from a relatively simple DDoS trojan into a relatively sophisticated piece of modern malware with a modular architecture, making it a suitable tool for sending spam and for online bank fraud, as well as for targeted attacks. BlackEnergy version 2, which featured rootkit techniques, was documented by SecureWorks in 2010. The targeted attacks recently discovered are proof that the trojan is still alive and kicking in 2014. We provide a technical analysis of the BlackEnergy family, focusing on novel functionality and the differences introduced by new lite variants. We describe the most notable aspects of the malware, including its techniques for bypassing UAC, defeating the signed driver requirement in Windows and a selection of BlackEnergy2 plug-ins used for parasitic file infections, network discovery and remote code execution and data collection.", - "value": "BlackEnergy" - }, - { - "meta": { - "synonyms": [ - "Seaduke" - ], - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2015-031915-4935-99" - ] - }, - "description": "Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.", - "value": "Trojan.Seaduke" - }, - { - "value": "Backdoor.Tinybaron" - }, - { - "value": "Incognito RAT" - }, - { - "meta": { - "synonyms": [ - "Carberplike" - ], - "refs": [ - "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", - "https://twitter.com/Timo_Steffens/status/814781584536719360" - ] - }, - "value": "DownRage" - }, - { - "meta": { - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan" - ] - }, - "value": "Chthonic" - }, - { - "value": "GeminiDuke", - "description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.", - "meta": { - "refs": [ - "https://attack.mitre.org/wiki/Software/S0049" - ] - } - }, - { - "value": "Zeus", - "description": "Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. The Trojan is created using a Trojan-building toolkit.", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Zeus_(malware)", - "https://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99" - ], - "synonyms": [ - "Trojan.Zbot", - "Zbot" - ] - } - }, - { - "value": "Shifu", - "description": "Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" - ], - "derivated_from": [ - "Shiz" - ] - } - }, - { - "value": "Shiz", - "description": "The new variant of the Shiz Trojan malware targets mission-critical enterprise resource planning (ERP) applications — particularly SAP users. ", - "meta": { - "refs": [ - "https://securityintelligence.com/tag/shiz-trojan-malware/" - ] - } - }, - { - "value": "MM Core", - "description": "Also known as “BaneChant”, MM Core is a file-less APT which is executed in memory by a downloader component. It was first reported in 2013 under the version number “2.0-LNK” where it used the tag “BaneChant” in its command-and-control (C2) network request. A second version “2.1-LNK” with the network tag “StrangeLove” was discovered shortly after.", - "meta": { - "refs": [ - "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" - ], - "synonyms": [ - "MM Core backdoor", - "BigBoss", - "SillyGoose", - "BaneChant", - "StrangeLove" - ] - } - }, - { - "value": "Shamoon", - "description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/Shamoon" - ] - } - }, - { - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/" - ] - }, - "description": "According to MalwareHunterTeam and other researchers that have looked at the malware's source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.", - "value": "GhostAdmin" - }, - { - "meta": { - "country": "IT", - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/" - ] - }, - "description": "Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)", - "value": "EyePyramid Malware" - }, - { - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/" - ] - }, - "description": "LuminosityLink is a malware family costing $40 that purports to be a system administration utility", - "value": "LuminosityLink" - }, - { - "meta": { - "synonyms": [ - "Floki Bot", - "Floki" - ], - "refs": [ - "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/" - ] - }, - "description": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.", - "value": "Flokibot" - }, - { - "meta": { - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" - ] - }, - "description": "Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.", - "value": "ZeroT" - }, - { - "meta": { - "refs": [ - "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" - ] - }, - "description": "Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples ‘stream’, combined with the dropper functionality to append ‘ex’ to the DLL file name. The StreamEx family has the ability to access and modify the user’s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild. ", - "value": "StreamEx" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "adzok" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "albertino" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "arcom" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "blacknix" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "bluebanana" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "bozok" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "clientmesh" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "cybergate" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "darkcomet" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "darkrat" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "gh0st" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "greame" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "hawkeye" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "javadropper" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "lostdoor" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "luxnet" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "pandora" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "poisonivy" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "predatorpain" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "punisher" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "qrat" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "shadowtech" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "smallnet" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "spygate" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "template" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "tapaoux" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "vantom" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "virusrat" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "xena" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "xtreme" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "darkddoser" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "jspy" - }, - { - "meta": { - "type": [ - "Backdoor" - ], - "refs": [ - "https://github.com/kevthehermit/RATDecoders" - ] - }, - "description": "Remote Access Trojan", - "value": "xrat" - }, - { - "meta": { - "refs": [ - "https://github.com/n1nj4sec/pupy" - ] - }, - "description": "Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.", - "value": "PupyRAT" - }, - { - "meta": { - "refs": [ - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/elf_imeij.a" - ] - }, - "description": "Linux Arm malware spread via RFIs in cgi-bin scripts. This backdoor executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.", - "value": "ELF_IMEIJ" - }, - { - "meta": { - "refs": [ - "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor" - ] - }, - "description": "KHRAT is a small backdoor that has three exports (functions), namely, K1, K2, and K3. K1 checks if the current user is an administrator. If not, it uninstalls itself by calling the K2 function.", - "value": "KHRAT" - }, - { - "meta": { - "refs": [ - "http://www.enigmasoftware.com/trochilusrat-removal/" - ] - }, - "description": "The Trochilus RAT is a threatening RAT (Remote Access Trojan) that may evade many anti-virus programs. The Trochilus RAT is currently being used as part of an extended threat campaign in South East Asia. The first appearance of the Trochilus RAT in this campaign, which has been active since August of 2015, was first detected in the summer of 2015. The Trochilus RAT is currently being used against civil society organizations and government computers in the South East Asia region, particularly in attacks directed towards the government of Myanmar.", - "value": "Trochilus" - }, - { - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" - ] - }, - "description": "The MoonWind sample used for this analysis was compiled with a Chinese compiler known as BlackMoon, the same compiler used for the BlackMoon banking Trojan. While a number of attributes match the BlackMoon banking Trojan, the malware is not the same. Both malware families were simply compiled using the same compiler, and it was the BlackMoon artifacts that resulted in the naming of the BlackMoon banking Trojan. But because this new sample is different from the BlackMoon banking Trojan,", - "value": "MoonWind" - }, - { - "description": "Chrysaor is spyware believed to be created by NSO Group Technologies, specializing in the creation and sale of software and infrastructure for targeted attacks. Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS and analyzed by Citizen Lab and Lookout.", - "value": "Chrysaor", - "meta": { - "refs": [ - "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" - ], - "synonyms": [ - "Pegasus", - "Pegasus spyware" - ] - } - }, - { - "meta": { - "refs": [ - "http://virusradar.com/en/Win32_Sathurbot.A/description", - "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/" - ] - }, - "description": "The trojan serves as a backdoor. It can be controlled remotely.", - "value": "Sathurbot" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The AURIGA malware family shares a large amount of functionality with the BANGAT backdoor. The malware family contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine. The AURIGA malware contains a driver component which is used to inject the malware DLL into other processes. This driver can also perform process and IP connection hiding. The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the \"Microsoft corp\" strings in the cmd.exe binary with different values. The malware family typically maintains persistence through installing itself as a service.", - "value": "AURIGA" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The BANGAT malware family shares a large amount of functionality with the AURIGA backdoor. The malware family contains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine. In addition, the malware also implements a custom VNC like protocol which sends screenshots of the desktop to the C2 server and accepts keyboard and mouse input. The malware communicates to its C2 servers using SSL, with self signed SSL certificates. The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the \"Microsoft corp\" strings in the cmd.exe binary with different values. The malware family typically maintains persistence through installing itself as a service.", - "value": "BANGAT" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "BISCUIT provides attackers with full access to an infected host. BISCUIT capabilities include launching an interactive command shell, enumerating servers on a Windows network, enumerating and manipulating process, and transferring files. BISCUIT communicates using a custom protocol, which is then encrypted using SSL. Once installed BISCUIT will attempt to beacon to its command/control servers approximately every 10 or 30 minutes. It will beacon its primary server first, followed by a secondary server. All communication is encrypted with SSL (OpenSSL 0.9.8i).", - "value": "BISCUIT" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "BOUNCER will load an extracted DLL into memory, and then will call the DLL's dump export. The dump export is called with the parameters passed via the command line to the BOUNCER executable. It requires at least two arguments, the IP and port to send the password dump information. It can accept at most five arguments, including a proxy IP, port and an x.509 key for SSL authentication. The DLL backdoor has the capability to execute arbitrary commands, collect database and server information, brute force SQL login credentials, launch arbitrary programs, create processes and threads, delete files, and redirect network traffic.", - "value": "BOUNCER" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "This family of malware uses Google Calendar to retrieve commands and send results. It retrieves event feeds associated with Google Calendar, where each event contains commands from the attacker for the malware to perform. Results are posted back to the event feed. The malware authenticates with Google using the hard coded email address and passwords. The malware uses the deprecated ClientLogin authentication API from Google. The malware is registered as a service dll as a persistence mechanism. Artifacts of this may be found in the registry.", - "value": "CALENDAR" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The COMBOS malware family is an HTTP based backdoor. The backdoor is capable of file upload, file download, spawning a interactive reverse shell, and terminating its own process. The backdoor may decrypt stored Internet Explorer credentials from the local system and transmit the credentials to the C2 server. The COMBOS malware family does not have any persistence mechanisms built into itself.", - "value": "COMBOS" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ], - "synonyms": [ - "TROJAN.COOKIES" - ] - }, - "description": "his family of malware is a backdoor capable of file upload and download as well as providing remote interactive shell access to the compromised machine. Communication with the Command & Control (C2) servers uses a combination of single-byte XOR and Base64 encoded data in the Cookie and Set-Cookie HTTP header fields. Communication with the C2 servers is over port 80. Some variants install a registry key as means of a persistence mechanism. The hardcoded strings cited include a string of a command in common with several other APT1 families.", - "value": "COOKIEBAG" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "Members of this malware family are backdoors that provide file downloading, process listing, process killing, and reverse shell capabilities. This malware may also add itself to the Authorized Applications list for the Windows Firewall.", - "value": "DAIRY" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "Members of this family of malware are utilities designed to extract email messages and attachments from Outlook PST files. One part of this utility set is an executable, one is a dll. The malware may create a registry artifact related to the executable.", - "value": "GETMAIL" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "This family of malware is a utility designed to upload files to Google Docs. Nearly all communications are with docs.google.com are SSL encrypted. The malware does not use Google's published API to interact with their services. The malware does not currently work with Google Docs. It does not detect HTTP 302 redirections and will get caught in an infinite loop attempting to parse results from Google that are not present.", - "value": "GDOCUPLOAD" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ], - "synonyms": [ - "TROJAN.GTALK" - ] - }, - "description": "GLOOXMAIL communicates with Google's Jabber/XMPP servers and authenticates with a hard-coded username and password. The malware can accept commands over XMPP that includes file upload and download, provide a remote shell, sending process listings, and terminating specified processes. The malware makes extensive use of the open source gloox library (http://camaya.net/gloox/, version 0.9.9.12) to communicate using the Jabber/XMPP protocol. All communications with the Google XMPP server are encrypted.", - "value": "GLOOXMAIL" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ], - "synonyms": [ - "TROJAN.FOXY" - ] - }, - "description": "A family of downloader malware, that retrieves an encoded payload from a fixed location, usually in the form of a file with the .jpg extension. Some variants have just an .exe that acts as a downloader, others have an .exe launcher that runs as a service and then loads an associated .dll of the same name that acts as the downloader. This IOC is targeted at the downloaders only. After downloading the file, the malware decodes the downloaded payload into an .exe file and launches it. The malware usually stages the files it uses in the %TEMP% directory or the %WINDIR%\\Temp directory.", - "value": "GOGGLES" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "Members of this family are full featured backdoors that communicates with a Web-based Command & Control (C2) server over SSL. Features include interactive shell, gathering system info, uploading and downloading files, and creating and killing processes, Malware in this family usually communicates with a hard-coded domain using SSL on port 443. Some members of this family rely on launchers to establish persistence mechanism for them. Others contains functionality that allows it to install itself, replacing an existing Windows service, and uninstall itself. Several variants use %SystemRoot%\\Tasks or %WinDir%\\Tasks as working directories, additional malware artifacts may be found there.", - "value": "GREENCAT" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": " This family of malware is a backdoor that provides reverse shell, process creation, system statistics collection, process enumeration, and process termination capabilities. This family is designed to be a service DLL and does not contain an installation mechanism. It usually communicates over port 443. Some variants use their own encryption, others use SSL.", - "value": "HACKFASE" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": " This family of malware is designed to operate as a service and provides remote command execution and file transfer capabilities to a fixed IP address or domain name. All communication with the C2 server happens over port 443 using SSL. This family can be installed as a service DLL. Some variants allow for uninstallation.", - "value": "HELAUTO" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "This family of malware is a backdoor that tunnels its connection through a preconfigured proxy. The malware communicates with a remote command and control server over HTTPS via the proxy. The malware installs itself as a Windows service with a service name supplied by the attacker but defaults to IPRIP if no service name is provided during install.", - "value": "KURTON" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "LIGHTBOLT is a utility with the ability to perform HTTP GET requests for a list of user-specified URLs. The responses of the HTTP requests are then saved as MHTML files, which are added to encrypted RAR files. LIGHTBOLT has the ability to use software certificates for authentication.", - "value": "LIGHTBOLT" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "LIGHTDART is a tool used to access a pre-configured web page that hosts an interface to query a database or data set. The tool then downloads the results of a query against that web page to an encrypted RAR file. This RAR file (1.rar) is renamed and uploaded to an attacker controlled FTP server, or uploaded via an HTTP POST with a .jpg extension. The malware will execute this search once a day. The target webpage usually contains information useful to the attacker, which is updated on a regular basis. Examples of targeted information include weather information or ship coordinates.", - "value": "LIGHTDART" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "LONGRUN is a backdoor designed to communicate with a hard-coded IP address and provide the attackers with a custom interactive shell. It supports file uploads and downloads, and executing arbitrary commands on the compromised machine. When LONGRUN executes, it first loads configuration data stored as an obfuscated string inside the PE resource section. The distinctive string thequickbrownfxjmpsvalzydg is used as part of the input to the decoding algorithm. When the configuration data string is decoded it is parsed and treated as an IP and port number. The malware then connects to the host and begins interacting with it over a custom protocol.", - "value": "LONGRUN" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "This family of malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files. This IOC looks for both the dropper file and the backdoor.", - "value": "MANITSME" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html", - "http://contagiodump.blogspot.com/2010/06/these-days-i-see-spike-in-number-of.html" - ] - }, - "description": "This malware utility is a set of two files that operate in conjunction to extract email messages and attachments from an Exchange server. In order to operate successfully, these programs require authentication credentials for a user on the Exchange server, and must be run from a machine joined to the domain that has Microsoft Outlook installed (or equivalent software that provides the Microsoft 'Messaging API' (MAPI) service).", - "value": "MAPIGET" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "This family of malware consists of backdoors that attempt to fetch encoded commands over HTTP. The malware is capable of downloading a file, downloading and executing a file, executing arbitrary shell commands, or sleeping a specified interval.", - "value": "MINIASP" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The NEWSREELS malware family is an HTTP based backdoor. When first started, NEWSREELS decodes two strings from its resources section. These strings are both used as C2 channels, one URL is used as a beacon URL (transmitting) and the second URL is used to get commands (receiving). The NEWSREELS malware family is capable of performing file uploads, downloads, creating processes or creating an interactive reverse shell.", - "value": "NEWSREELS" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The SEASALT malware family communicates via a custom binary protocol. It is capable of gathering some basic system information, file system manipulation, file upload and download, process creation and termination, and spawning an interactive reverse shell. The malware maintains persistence by installing itself as a service.", - "value": "SEASALT" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "STARSYPOUND provides an interactive remote shell over an obfuscated communications channel. When it is first run, it loads a string (from the executable PE resource section) containing the beacon IP address and port. The malware sends the beacon string \"*(SY)# \" to the remote system, where is the hostname of the victim system. The remote host responds with a packet that also begins with the string \"*(SY)# cmd\". This causes the malware to launch a new cmd.exe child process. Further communications are forwarded to the cmd.exe child process to execute. The commands sent to the shell and their responses are obfuscated when sent over the network.", - "value": "STARSYPOUND" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "This family of malware provides a backdoor over the network to the attackers. It is configured to connect to a single host and offers file download over HTTP, program execution, and arbitrary execution of commands through a cmd.exe instance.", - "value": "SWORD" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ], - "synonyms": [ - "TROJAN LETSGO" - ] - }, - "description": " This malware family is a full-featured backdoor capable of file uploading and downloading, arbitrary execution of programs, and providing a remote interactive command shell. All communications with the C2 server are sent over HTTP to a static URL, appending various URL parameters to the request. Some variants use a slightly different URL.", - "value": "TABMSGSQL" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers. Typical TARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address. The capability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process enumeration, process creation, process termination. The TARSIP-ECLIPSE family is distinguished by the presence of 'eclipse' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain persistence.", - "value": "TARSIP-ECLIPSE" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers. Typical TARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address. The capability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process enumeration, process creation, process termination. The TARSIP-MOON family is distinguished by the presence of 'moon' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain persistence.", - "value": "TARSIP-MOON" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The WARP malware family is an HTTP based backdoor written in C++, and the majority of its code base is borrowed from source code available in the public domain. Network communications are implemented using the same WWW client library (w3c.cpp) available from www.dankrusi.com/file_69653F3336383837.html. The malware has system survey functionality (collects hostname, current user, system uptime, CPU speed, etc.) taken directly from the BO2K backdoor available from www.bo2k.com. It also contains the hard disk identification code found at www.winsim.com/diskid32/diskid32.cpp. When the WARP executing remote commands, the malware creates a copy of the ?%SYSTEMROOT%\\system32\\cmd.exe? file as '%USERPROFILE%\\Temp\\~ISUN32.EXE'. The version signature information of the duplicate executable is zeroed out. Some WARP variants maintain persistence through the use of DLL search order hijacking.", - "value": "WARP" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is capable of downloading and executing a file. All variants represented here are the same file with different MD5 signatures. This malware attempts to contact its C2 once a week (Thursday at 10:00 AM). It looks for commands inside a set of HTML tags, part of which are in the File Strings indicator term below.", - "value": "WEBC2-ADSPACE" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware family is a only a downloader which operates over the HTTP protocol with a hard-coded URL. If directed, it has the capability to download, decompress, and execute compressed binaries.", - "value": "WEBC2-AUSOV" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": " A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is a backdoor capable of downloading files and updating its configuration. Communication with the command and control (C2) server uses a combination of single-byte XOR and Base64 encoded data wrapped in standard HTML tags. The malware family installs a registry key as a persistence mechanism.", - "value": "WEBC2-BOLID" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The family of malware provides the attacker with an interactive command shell, the ability to upload and download files, execute commands on the system, list processes and DLLs, kill processes, and ping hosts on the local network. Responses to these commands are encrypted and compressed before being POSTed to the server. Some variants copy cmd.exe to Updatasched.exe in a temporary directory, and then may launch that in a process if an interactive shell is called. On initial invocation, the malware also attempts to delete previous copies of the Updatasched.exe file.", - "value": "WEBC2-CLOVER" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of malware act only as downloaders and droppers for other malware. They communicate with a hard-coded C2 server, reading commands embedded in HTML comment fields. Some variants are executables which act upon execution, others are DLLs which can be attached to services or loaded through search order hijacking.", - "value": "WEBC2-CSON" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-DIV variant searches for the strings \"div safe:\" and \" balance\" to delimit encoded C2 information. If the decoded string begins with the letter \"J\" the malware will parse additional arguments in the decoded string to specify the sleep interval to use. WEBC2-DIV is capable of downloading a file, downloading and executing a file, or sleeping a specified interval.", - "value": "WEBC2-DIV" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware is a variant on the GREENCAT family, using a fixed web C2. This family is a full featured backdoor which provides remote command execution, file transfer, process and service enumeration and manipulation. It installs itself persistently through the current user's registry Run key.", - "value": "WEBC2-GREENCAT" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-HEAD variant communicates over HTTPS, using the system's SSL implementation to encrypt all communications with the C2 server. WEBC2-HEAD first issues an HTTP GET to the host, sending the Base64-encoded string containing the name of the compromised machine running the malware.", - "value": "WEBC2-HEAD" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-KT3 variant searches for commands in a specific comment tag. Network traffic starting with *!Kt3+v| may indicate WEBC2-KT3 activity.", - "value": "WEBC2-KT3" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-QBP variant will search for two strings in a HTML comment. The first will be \"2010QBP \" followed by \" 2010QBP//--\". Inside these tags will be a DES-encrypted string. ", - "value": "WEBC2-QBP" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware will set itself up as a service and connect out to a hardcoded web page and read a modified base64 string from this webpage. The later versions of this malware supports three commands (earlier ones are just downloaders or reverse shells). The first commands will sleep the malware for N number of hours. The second command will download a binary from the encoded HTML comment and execute it on the infected host. The third will spawn an encoded reverse shell to an attacker specified location and port.", - "value": "WEBC2-RAVE" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-TABLE variant looks for web pages containing 'background', 'align', and 'bgcolor' tags to be present in the requested Web page. If the data in these tags are formatted correctly, the malware will decode a second URL and a filename. This URL is then retrieved, written to the decoded filename and executed.", - "value": "WEBC2-TABLE" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-TABLE variant looks for web pages containing 'background', 'align', and 'bgcolor' tags to be present in the requested Web page. If the data in these tags are formatted correctly, the malware will decode a second URL and a filename. This URL is then retrieved, written to the decoded filename and executed.", - "value": "WEBC2-TOCK" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of malware provide remote command shell and remote file download and execution capabilities. The malware downloads a web page containing a crafted HTML comment that subsequently contains an encoded command. The contents of this command tell the malware whether to download and execute a program, launch a reverse shell to a specific host and port number, or to sleep for a period of time. ", - "value": "WEBC2-UGX" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of backdoor malware talk to specific Web-based Command & Control (C2) servers. The backdoor has a limited command set, depending on version. It is primarily a downloader, but it classified as a backdoor because it can accept a limited command set, including changing local directories, downloading and executing additional files, sleeping, and connecting to a specific IP & port not initially included in the instruction set for the malware. Each version of the malware has at least one hardcoded URL to which it connects to receive its initial commands. This family of malware installs itself as a service, with the malware either being the executable run by the service, or the service DLL loaded by a legitimate service. The same core code is seen recompiled on different dates or with different names, but the same functionality. Key signatures include a specific set of functions (some of which can be used with the OS-provided rundll32.exe tool to install the malware as a service), and hardcoded strings used in communication with C2 servers to issue commands to the implant.", - "value": "WEBC2-Y21K" - }, - { - "meta": { - "refs": [ - "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" - ] - }, - "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-YAHOO variant enters a loop where every ten minutes it attempts to download a web page that may contain an encoded URL. The encoded URL will be found in the pages returned inside an attribute named 'sb' or 'ex' within a tag named 'yahoo'. The embedded link can direct the malware to download and execute files.", - "value": "WEBC2-YAHOO" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" - ] - }, - "description": "HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string.", - "value": "HAYMAKER" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" - ] - }, - "description": "BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell.", - "value": "BUGJUICE" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" - ] - }, - "description": "SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. The malware’s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell. Persistence is maintained through a Run registry key.", - "value": "SNUGRIDE" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" - ] - }, - "description": "QUASARRAT is an open-source RAT available at https://github.com/quasar/QuasarRat . The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past.", - "value": "QUASARRAT" - }, - { - "meta": { - "refs": [ - "http://surveillance.rsf.org/en/hacking-team/", - "https://wikileaks.org/hackingteam/emails/fileid/581640/267803", - "https://wikileaks.org/hackingteam/emails/emailid/31436" - ], - "synonyms": [ - "DaVinci", - "Morcut" - ] - }, - "description": "Hacking Team’s \"DaVinci\" Remote Control System is able, the company says, to break encryption and allow law enforcement agencies to monitor encrypted files and emails (even ones encrypted with PGP), Skype and other Voice over IP or chat communication. It allows identification of the target’s location and relationships. It can also remotely activate microphones and cameras on a computer and works worldwide. Hacking Team claims that its software is able to monitor hundreds of thousands of computers at once, all over the country. Trojans are available for Windows, Mac, Linux, iOS, Android, Symbian and Blackberry.", - "value": "da Vinci RCS" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", - "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html" - ] - }, - "description": "LATENTBOT, a new, highly obfuscated BOT that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.", - "value": "LATENTBOT" - }, - { - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html" - ], - "synonyms": [ - "BlackOasis" - ] - }, - "description": "Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.", - "value": "FINSPY" - }, - { - "meta": { - "refs": [ - "https://www.f-secure.com/documents/996508/1030745/callisto-group" - ] - }, - "description": "HackingTeam Remote Control System (RCS) Galileo hacking platform", - "value": "RCS Galileo" - }, - { - "description": "RedHat 7.0 - 7.1 Sendmail 8.11.x exploit", - "value": "EARLYSHOVEL" - }, - { - "description": "root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86", - "value": "EBBISLAND (EBBSHAVE)" - }, - { - "description": "remote Samba 3.0.x Linux exploit", - "value": "ECHOWRECKER" - }, - { - "description": "appears to be an MDaemon email server vulnerability", - "value": "EASYBEE" - }, - { - "description": "an IBM Lotus Notes exploit that gets detected as Stuxnet", - "value": "EASYPI" - }, - { - "description": "an exploit for IBM Lotus Domino 6.5.4 & 7.0.2", - "value": "EWOKFRENZY" - }, - { - "description": "an IIS 6.0 exploit that creates a remote backdoor", - "value": "EXPLODINGCAN" - }, - { - "description": "a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)", - "value": "ETERNALROMANCE" - }, - { - "description": "a SMB exploit (MS09-050)", - "value": "EDUCATEDSCHOLAR" - }, - { - "description": "a SMB exploit for Windows XP and Server 2003 (MS10-061)", - "value": "EMERALDTHREAD" - }, - { - "description": "a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2", - "value": "EMPHASISMINE" - }, - { - "description": "Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users", - "value": "ENGLISHMANSDENTIST" - }, - { - "description": "0-day exploit (RCE) for Avaya Call Server", - "value": "EPICHERO" - }, - { - "description": "SMBv1 exploit targeting Windows XP and Server 2003", - "value": "ERRATICGOPHER" - }, - { - "description": "a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)", - "value": "ETERNALSYNERGY" - }, - { - "description": "SMBv2 exploit for Windows 7 SP1 (MS17-010)", - "value": "ETERNALBLUE" - }, - { - "description": "a SMBv1 exploit", - "value": "ETERNALCHAMPION" - }, - { - "description": "Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers", - "value": "ESKIMOROLL" - }, - { - "description": "RDP exploit and backdoor for Windows Server 2003", - "value": "ESTEEMAUDIT" - }, - { - "description": "RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)", - "value": "ECLIPSEDWING" - }, - { - "description": "exploit for IMail 8.10 to 8.22", - "value": "ETRE" - }, - { - "description": "an exploit framework, similar to MetaSploit", - "value": "FUZZBUNCH" - }, - { - "description": "implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors", - "value": "ODDJOB" - }, - { - "description": "utility which Bypasses authentication for Oracle servers", - "value": "PASSFREELY" - }, - { - "description": "check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE", - "value": "SMBTOUCH" - }, - { - "description": "Check if the target is running some RPC", - "value": "ERRATICGOPHERTOUCH" - }, - { - "description": "check if the running IIS version is vulnerable", - "value": "IISTOUCH" - }, - { - "description": "get info about windows via RPC", - "value": "RPCOUTCH" - }, - { - "description": "used to connect to machines exploited by ETERNALCHAMPIONS", - "value": "DOPU" - }, - { - "description": "covert surveillance tools", - "value": "FlexSpy" - }, - { - "value": "feodo", - "description": "Unfortunately, it is time to meet 'Feodo'. Since august of this year when FireEye's MPS devices detected this malware in the field, we have been monitoring this banking trojan very closely. In many ways, this malware looks similar to other famous banking trojans like Zbot and SpyEye. Although my analysis says that this malware is not a toolkit and is in the hands of a single criminal group.", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2010/10/feodosoff-a-new-botnet-on-the-rise.html" - ] - } - }, - { - "value": "Cardinal RAT", - "description": "Palo Alto Networks has discovered a previously unknown remote access Trojan (RAT) that has been active for over two years. It has a very low volume in this two-year period, totaling roughly 27 total samples. The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them.", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" - ] - } - }, - { - "description": "The REDLEAVES implant consists of three parts: an executable, a loader, and the implant shellcode. The REDLEAVES implant is a remote administration Trojan (RAT) that is built in Visual C++ and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2.", - "value": "REDLEAVES", - "meta": { - "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-117A" - ] - } - }, - { - "description": "Kazuar is a fully featured backdoor written using the .NET Framework and obfuscated using the open source packer called ConfuserEx. Unit 42 researchers have uncovered a backdoor Trojan used in an espionage campaign. The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan’s capabilities. During our analysis of this malware we uncovered interesting code paths and other artifacts that may indicate a Mac or Unix variant of this same tool also exists. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver. We suspect the Kazuar tool may be linked to the Turla threat actor group (also known as Uroburos and Snake), who have been reported to have compromised embassies, defense contractors, educational institutions, and research organizations across the globe. A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005. If the hypothesis is correct and the Turla threat group is using Kazuar, we believe they may be using it as a replacement for Carbon and its derivatives. Of the myriad of tools observed in use by Turla Carbon and its variants were typically deployed as a second stage backdoor within targeted environments and we believe Kazuar may now hold a similar role for Turla operations.", - "value": "Kazuar", - "meta": { - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" - ] - } - }, - { - "description": "Many links indicate, that this bot is another product of the people previously involved in Dyreza. It seems to be rewritten from scratch – however, it contains many similar features and solutions to those we encountered analyzing Dyreza (read more).", - "value": "Trick Bot", - "meta": { - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", - "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", - "https://securityintelligence.com/trickbot-is-hand-picking-private-banks-for-targets-with-redirection-attacks-in-tow/" - ], - "synonyms": [ - "TrickBot", - "TrickLoader" - ] - } - }, - { - "description": "Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform named Hackshit, that records the credentials of the phished bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with “.moe” top level domain (TLD) to evade traditional scanners. “.moe” TLD is intended for the purpose of ‘The marketing of products or services deemed’. The victim’s credentials are sent to the Hackshit PhaaS platform via websockets. The Netskope Active Platform can proactively protect customers by creating custom applications and a policy to block all the activities related to Hackshit PhaaS.", - "value": "Hackshit", - "meta": { - "refs": [ - "https://resources.netskope.com/h/i/352356475-phishing-as-a-service-phishing-revamped" - ] - } - }, - { - "value": "Moneygram Adwind", - "meta": { - "refs": [ - "https://myonlinesecurity.co.uk/new-guidelines-from-moneygram-malspam-delivers-a-brand-new-java-adwind-version/" - ] - } - }, - { - "description": " Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or a drive-by download. When executed, Banload downloads other malware, often banking Trojans, on the victim’s system to carry out further infections.", - "value": "Banload", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2016/03/banload-malware-affecting-brazil-exhibits-unusually-complex-infection-process/", - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/banload", - "http://blog.trendmicro.com/trendlabs-security-intelligence/banload-limits-targets-via-security-plugin/", - "https://securingtomorrow.mcafee.com/mcafee-labs/banload-trojan-targets-brazilians-with-malware-downloads/" - ] - } - }, - { - "description": "This small application is used to download other malware. What makes the bot interesting are various tricks that it uses for deception and self protection.", - "value": "Smoke Loader", - "meta": { - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" - ], - "synonyms": [ - "Dofoil" - ] - } - }, - { - "description": "The analyzed sample has a recent compilation date (2017-06-24) and is available on VirusTotal. It starts out by resolving several Windows functions using API hashing (CRC32 is used as the hashing function).", - "value": "LockPoS", - "meta": { - "refs": [ - "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/" - ] - } - }, - { - "description": "Win.Worm.Fadok drops several files. %AppData%\\RAC\\mls.exe or %AppData%\\RAC\\svcsc.exe are instances of the malware which are auto-started when Windows starts. Further, the worm drops and opens a Word document. It connects to the domain wxanalytics[.]ru.", - "value": "Fadok", - "meta": { - "refs": [ - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm%3AWin32%2FFadok.A", - "http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html" - ], - "synonyms": [ - "Win32/Fadok" - ] - } - }, - { - "description": "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.", - "value": "Loki Bot", - "meta": { - "refs": [ - "https://phishme.com/loki-bot-malware/" - ] - } - }, - { - "description": "Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. \nThroughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution:", - "value": "KONNI", - "meta": { - "refs": [ - "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" - ] - } - }, - { - "description": "Recently, Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.", - "value": "SpyDealer", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" - ] - } - }, - { - "value": "CowerSnail", - "description": "CowerSnail was compiled using Qt and linked with various libraries. This framework provides benefits such as cross-platform capability and transferability of the source code between different operating systems. ", - "meta": { - "refs": [ - "https://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/" - ] - } - }, - { - "description": "In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.", - "value": "Svpeng", - "meta": { - "refs": [ - "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/" - ], - "synonyms": [ - "trojan-banker.androidos.svpeng.ae" - ] - } - }, - { - "description": "While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization. The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell. It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server. Due to these two layers, we use the name TwoFace to track this webshell.\nDuring our analysis, we extracted the commands executed by the TwoFace webshell from the server logs on the compromised server. Our analysis shows that the commands issued by the threat actor date back to June 2016; this suggests that the actor had access to this shell for almost an entire year. The commands issued show the actor was interested in gathering credentials from the compromised server using the Mimikatz tool. We also saw the attacker using the TwoFace webshell to move laterally through the network by copying itself and other webshells to other servers.", - "value": "TwoFace", - "meta": { - "type": [ - "webshell" - ], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" - ] - } - }, - { - "description": "Like TwoFace, the IntrudingDivisor webshell requires the threat actor to authenticate before issuing commands. To authenticate, the actor must provide two pieces of information, first an integer that is divisible by 5473 and a string whose MD5 hash is “9A26A0E7B88940DAA84FC4D5E6C61AD0”. Upon successful authentication, the webshell has a command handler that uses integers within the request to determine the command to execute - To complete", - "value": "IntrudingDivisor", - "meta": { - "type": [ - "webshell" - ], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" - ] - } - }, - { - "description": "Attacks that use completely fileless malware are a rare occurrence, so we thought it important to discuss a new trojan known as JS_POWMET (Detected by Trend Micro as JS_POWMET.DE), which arrives via an autostart registry procedure. By utilizing a completely fileless infection chain, the malware will be more difficult to analyze using a sandbox, making it more difficult for anti-malware engineers to examine.", - "value": "JS_POWMET", - "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" - ] - } - }, - { - "value": "EngineBox Malware", - "description": "The main malware capabilities include a privilege escalation attempt using MS16–032 exploitation; a HTTP Proxy to intercept banking transactions; a backdoor to make it possible for the attacker to issue arbitrary remote commands and a C&C through a IRC channel. As it's being identified as a Generic Trojan by most of VirusTotal (VT) engines, let s name it EngineBox— the core malware class I saw after reverse engineering it.", - "meta": { - "refs": [ - "https://isc.sans.edu/diary/22736" - ] - } - }, - { - "value": "Joao", - "description": "Spread via hacked Aeria games offered on unofficial websites, the modular malware can download and install virtually any other malicious code on the victim’s computer. To spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games (MMORPGs) originally published by Aeria Games. At the time of writing this article, the Joao downloader was being distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" - ] - } - }, - { - "value": "Fireball", - "description": "Upon execution, Fireball installs a browser hijacker as well as any number of adware programs. Several different sources have linked different indicators of compromise (IOCs) and varied payloads, but a few details remain the same.", - "meta": { - "refs": [ - "https://www.cylance.com/en_us/blog/threat-spotlight-is-fireball-adware-or-malware.html" - ] - } - }, - { - "value": "ShadowPad", - "description": "ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to “validation” command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.", - "meta": { - "refs": [ - "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf" - ] - } - }, - { - "value": "IoT_reaper", - "description": "IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.", - "meta": { - "refs": [ - "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/" - ] - } - }, - { - "value": "FormBook", - "description": "FormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016.", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", - "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/" - ] - } - }, - { - "value": "Dimnie", - "description": "Dimnie, the commonly agreed upon name for the binary dropped by the PowerShell script above, has been around for several years. Palo Alto Networks has observed samples dating back to early 2014 with identical command and control mechanisms. The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign.", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" - ] - } - }, - { - "value": "ALMA Communicator", - "description": "The ALMA Communicator Trojan is a backdoor Trojan that uses DNS tunneling exclusively to receive commands from the adversary and to exfiltrate data. This Trojan specifically reads in a configuration from the cfg file that was initially created by the Clayslide delivery document. ALMA does not have an internal configuration, so the Trojan does not function without the cfg file created by the delivery document.", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" - ] - } - }, - { - "value": "Silence", - "description": "In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees’ PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready. \nWe saw that technique before in Carbanak, and other similar cases worldwide. The infection vector is a spear-phishing email with a malicious attachment. An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims.", - "meta": { - "refs": [ - "https://securelist.com/the-silence/83009/" - ] - } - }, - { - "value": "Volgmer", - "description": "Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer", - "meta": { - "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-318B" - ] - } - }, - { - "value": "Nymaim", - "description": "Nymaim is a 2-year-old strain of malware most closely associated with ransomware. We have seen recent attacks spreading it using an established email marketing service provider to avoid blacklists and detection tools. But instead of ransomware, the malware is now being used to distribute banking Trojans", - "meta": { - "refs": [ - "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0" - ] - } - }, - { - "value": "GootKit", - "description": "As was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain of downloaders. The main purpose of the bot also remained the same – to steal banking data. The new Gootkit version, detected in September, primarily targets clients of European banks, including those in Germany, France, Italy, the Netherlands, Poland, etc.", - "meta": { - "refs": [ - "https://securelist.com/inside-the-gootkit-cc-server/76433/", - "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", - "https://securityintelligence.com/gootkit-launches-redirection-attacks-in-the-uk/", - "https://www.symantec.com/security_response/writeup.jsp?docid=2010-051118-0604-99" - ], - "synonyms": [ - "Gootkit" - ] - } - }, - { - "value": "Agent Tesla", - "description": "Agent Tesla is modern powerful keystroke logger. It provides monitoring your personel computer via keyboard and screenshot. Keyboard, screenshot and registered passwords are sent in log. You can receive your logs via e-mail, ftp or php(web panel). ", - "meta": { - "refs": [ - "https://www.agenttesla.com/" - ] - } - }, - { - "value": "Ordinypt", - "description": "A new ransomware strain called Ordinypt is currently targeting victims in Germany, but instead of encrypting users' documents, the ransomware rewrites files with random data. Ordinypt is actually a wiper and not ransomware because it does not bother encrypting anything, but just replaces files with random data.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/" - ], - "synonyms": [ - "HSDFSDCrypt" - ] - } - }, - { - "value": "StrongPity2", - "description": "Detected by ESET as Win32/StrongPity2, this spyware notably resembles one that was attributed to the group called StrongPity.", - "meta": { - "synonyms": [ - "Win32/StrongPity2" - ], - "refs": [ - "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/" - ] - } - }, - { - "value": "wp-vcd", - "description": "WordPress site owners should be on the lookout for a malware strain tracked as wp-vcd that hides in legitimate WordPress files and that is used to add a secret admin user and grant attackers control over infected sites.\nThe malware was first spotted online over the summer by Italian security researcher Manuel D'Orso.\nThe initial version of this threat was loaded via an include call for the wp-vcd.php file —hence the malware's name— and injected malicious code into WordPress core files such as functions.php and class.wp.php. This was not a massive campaign, but attacks continued throughout the recent months.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-campaign-is-back/", - "https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-spreads-via-nulled-wordpress-themes/" - ] - } - }, - { - "value": "MoneyTaker 5.0", - "description": "malicious program for auto replacement of payment data in AWS CBR", - "meta": { - "refs": [ - "https://www.group-ib.com/blog/moneytaker" - ] - } - }, - { - "value": "Quant Loader", - "description": "Described as a \"professional exe loader / dll dropper\" Quant Loader is in fact a very basic trojan downloader. It began being advertised on September 1, 2016 on various Russian underground forums.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/", - "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground" - ] - } - }, - { - "value": "SSHDoor", - "description": "The Secure Shell Protocol (SSH) is a very popular protocol used for secure data communication. It is widely used in the Unix world to manage remote servers, transfer files, etc. The modified SSH daemon described here, Linux/SSHDoor.A, is designed to steal usernames and passwords and allows remote access to the server via either an hardcoded password or SSH key.", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/" - ] - } - }, - { - "value": "TRISIS", - "description": "(Dragos Inc.) The team identifies this malware as TRISIS because it targets Schneider Electric’s Triconex safety instrumented system (SIS) enabling the replacement of logic in final control elements. TRISIS is highly targeted and likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products. (FireEye Inc.) This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack. TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. ", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", - "https://dragos.com/blog/trisis/TRISIS-01.pdf" - ], - "synonyms": [ - "TRITON" - ] - } - }, - { - "value": "OSX.Pirrit", - "description": "macOS adware strain ", - "meta": { - "refs": [ - "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", - "https://www2.cybereason.com/research-osx-pirrit-mac-adware", - "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf" - ], - "synonyms": [ - "OSX/Pirrit" - ] - } - }, - { - "value": "GratefulPOS", - "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.", - "meta": { - "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" - ] - } - }, - { - "value": "PRILEX", - "description": "Prilex malware steals the information of the infected ATM’s users. In this case, it was a Brazilian bank, but consider the implications of such an attack in your region, whether you’re a customer or the bank.", - "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" - ] - } - }, - { - "value": "CUTLET MAKER", - "description": "Cutlet Maker is an ATM malware designed to empty the machine of all its banknotes. Interestingly, while its authors have been advertising its sale, their competitors have already cracked the program, allowing anybody to use it for free.", - "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" - ] - } - }, - { - "value": "Satori", - "description": "According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/", - "https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant" - ], - "synonyms": [ - "Okiru" - ] - } - }, - { - "value": "PowerSpritz", - "description": "PowerSpritz is a Windows executable that hides both its legitimate payload and malicious PowerShell command using a non-standard implementation of the already rarely used Spritz encryption algorithm (see the Attribution section for additional analysis of the Spritz implementation). This malicious downloader has been observed being delivered via spearphishing attacks using the TinyCC link shortener service to redirect to likely attacker-controlled servers hosting the malicious PowerSpritz payload.", - "meta": { - "refs": [ - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" - ] - } - }, - { - "value": "PowerRatankba", - "description": "PowerRatankba is used for the same purpose as Ratankba: as a first stage reconnaissance tool and for the deployment of further stage implants on targets that are deemed interesting by the actor. Similar to its predecessor, PowerRatankba utilizes HTTP for its C&C communication.", - "meta": { - "refs": [ - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" - ] - } - }, - { - "value": "Ratankba", - "description": "In one instance we observed, one of the initial malware delivered to the victim, RATANKBA, connects to a legitimate but compromised website from which a hack tool (nbt_scan.exe) is also downloaded. The domain also serves as one of the campaign’s platform for C&C communication.\nThe threat actor uses RATANKBA to survey the lay of the land as it looks into various aspects of the host machine where it has been initially downloaded—the machine that has been victim of the watering hole attack. Information such as the running tasks, domain, shares, user information, if the host has default internet connectivity, and so forth.", - "meta": { - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/" - ] - } - }, - { - "value": "USBStealer", - "description": "USBStealer serves as a network tool that extracts sensitive information from air-gapped networks. We have not seen this component since mid 2015.", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" - ] - } - }, - { - "value": "Downdelph", - "description": "Downdelph is a lightweight downloader developed in the Delphi programming language. As we already mentioned in our white paper, its period of activity was from November 2013 to September 2015 and there have been no new variants seen since.", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" - ] - } - }, - { - "value": "CoinMiner", - "description": "Monero-mining malware", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" - ] - } - }, - { - "value": "FruitFly", - "description": "A fully-featured backdoor, designed to perversely spy on Mac users", - "meta": { - "refs": [ - "https://objective-see.com/blog/blog_0x25.html#FruitFly" - ] - } - }, - { - "value": "MacDownloader", - "description": "Iranian macOS exfiltration agent, targeting the 'defense industrial base' and human rights advocates.", - "meta": { - "refs": [ - "https://objective-see.com/blog/blog_0x25.html#MacDownloader" - ], - "synonyms": [ - "iKitten" - ] - } - }, - { - "value": "Empyre", - "description": "The open-source macOS backdoor, 'Empye', maliciously packaged into a macro'd Word document", - "meta": { - "refs": [ - "https://objective-see.com/blog/blog_0x25.html#Empyre" - ], - "synonyms": [ - "Empye" - ] - } - }, - { - "value": "Proton", - "description": "A fully-featured macOS backdoor, designed to collect and exfiltrate sensitive user data such as 1Password files, browser login data, and keychains.", - "meta": { - "refs": [ - "https://objective-see.com/blog/blog_0x25.html#Proton" - ] - } - }, - { - "value": "Mughthesec", - "description": "Adware which hijacks a macOS user's homepage to redirect search queries.", - "meta": { - "refs": [ - "https://objective-see.com/blog/blog_0x25.html" - ] - } - }, - { - "value": "Pwnet", - "description": "A macOS crypto-currency miner, distributed via a trojaned 'CS-GO' hack.", - "meta": { - "refs": [ - "https://objective-see.com/blog/blog_0x25.html" - ] - } - }, - { - "value": "CpuMeaner", - "description": "A macOS crypto-currency mining trojan.", - "meta": { - "refs": [ - "https://objective-see.com/blog/blog_0x25.html" - ] - } - }, - { - "value": "Travle", - "description": "The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: “Travle Path Failed!”. This typo was replaced with correct word “Travel” in newer releases. We believe that Travle could be a successor to the NetTraveler family.", - "meta": { - "refs": [ - "https://securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455/" - ], - "synonyms": [ - "PYLOT" - ] - } - }, - { - "value": "Digmine", - "description": "Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line. This functionality’s code is pushed from the command-and-control (C&C) server, which means it can be updated.", - "meta": { - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/" - ] - } - } - ] -} + "name": "Tool", + "type": "tool", + "source": "MISP Project", + "authors": [ + "Alexandre Dulaunoy", + "Florian Roth", + "Timo Steffens", + "Christophe Vandeplas" + ], + "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", + "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", + "version": 52, + "values": [ + { + "meta": { + "type": [ + "Banking" + ], + "synonyms": [ + "Hunter", + "Zusy", + "TinyBanker" + ], + "refs": [ + "https://thehackernews.com/search/label/Zusy%20Malware", + "http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/" + ] + }, + "description": "Banking Malware", + "value": "Tinba", + "uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "synonyms": [ + "Backdoor.FSZO-5117", + "Trojan.Heur.JP.juW@ayZZvMb", + "Trojan.Inject1.6386", + "Korplug", + "Agent.dhwf" + ], + "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx" + ] + }, + "description": "Malware", + "value": "PlugX", + "uuid": "f4b159ea-97e5-483b-854b-c48a78d562aa" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx" + ] + }, + "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "value": "MSUpdater", + "uuid": "f85d2d5a-6e3c-44e4-bd3b-6100c04b4ba9" + }, + { + "meta": { + "type": [ + "HackTool" + ], + "refs": [ + "https://github.com/AlessandroZ/LaZagne" + ] + }, + "description": "A password sthealing tool regularly used by attackers", + "value": "Lazagne", + "uuid": "d0394d50-5316-4405-aa77-1070bdf68b6a" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "synonyms": [ + "Backdoor.Win32.PoisonIvy", + "Gen:Trojan.Heur.PT" + ], + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", + "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml" + ] + }, + "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", + "value": "Poison Ivy", + "uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" + ] + }, + "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we\u2019ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", + "value": "SPIVY", + "uuid": "a3d2e7fe-a8e4-48c7-8d47-b9430898af08" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "synonyms": [ + "Anchor Panda" + ], + "refs": [ + "https://www.crowdstrike.com/blog/whois-anchor-panda/" + ] + }, + "value": "Torn RAT", + "uuid": "32a67552-3b31-47bb-8098-078099bbc813" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "synonyms": [ + "Ozone RAT", + "ozonercp" + ], + "refs": [ + "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" + ] + }, + "value": "OzoneRAT", + "uuid": "e3010d81-94e2-43a9-98ed-61925b02be6e" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "synonyms": [ + "BackDoor-FBZT!52D84425CDF2", + "Trojan.Win32.Staser.ytq", + "Win32/Zegost.BW" + ], + "refs": [ + "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW" + ] + }, + "description": "ZeGhots is a RAT which was freely available and first released in 2014.", + "value": "ZeGhost", + "uuid": "c7706d12-fb62-4db6-bbe3-fef2da0181e7" + }, + { + "meta": { + "type": [ + "dropper", + "PWS" + ], + "synonyms": [ + "Elise" + ], + "refs": [ + "http://thehackernews.com/2015/08/elise-malware-hacking.html" + ] + }, + "description": "Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", + "value": "Elise Backdoor", + "uuid": "d70fd29d-590e-4ed5-b72f-6ce0142019c6" + }, + { + "meta": { + "type": [ + "PWS", + "reco" + ], + "synonyms": [ + "Laziok" + ], + "refs": [ + "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector" + ] + }, + "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.", + "value": "Trojan.Laziok", + "uuid": "7ccd3821-e825-4ff8-b4be-92c9732ce708" + }, + { + "meta": { + "type": [ + "Spyware", + "AndroidOS" + ], + "synonyms": [ + "GM-Bot", + "SlemBunk", + "Bankosy", + "Acecard" + ], + "refs": [ + "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/" + ] + }, + "description": "Android-based malware", + "value": "Slempo", + "uuid": "f8047de2-fefc-4ee0-825b-f1fae4b20c09" + }, + { + "meta": { + "type": [ + "Dropper", + "Miner", + "Spyware" + ], + "synonyms": [ + "PWOLauncher", + "PWOHTTPD", + "PWOKeyLogger", + "PWOMiner", + "PWOPyExec", + "PWOQuery" + ], + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" + ] + }, + "description": "We have discovered a malware family named \u2018PWOBot\u2019 that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", + "value": "PWOBot", + "uuid": "17de0952-3841-44d3-b03a-cc90e123d2b8" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/" + ], + "synonyms": [ + "LostDoor RAT", + "BKDR_LODORAT" + ] + }, + "description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.", + "value": "Lost Door RAT", + "uuid": "6d0b7543-a6e5-49fc-832e-bd594460187c" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf", + "https://github.com/kevthehermit/RATDecoders/blob/master/yaraRules/njRat.yar" + ], + "synonyms": [ + "Bladabindi", + "Jorik" + ] + }, + "value": "njRAT", + "uuid": "a860d257-4a39-47ec-9230-94cac67ebf7e" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter", + "https://nanocore.io/" + ], + "synonyms": [ + "NanoCore", + "Nancrat", + "Zurten", + "Atros2.CKPN" + ] + }, + "value": "NanoCoreRAT", + "uuid": "a8111fb7-d4c4-4671-a6f9-f62fea8bad60" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://www.secureworks.com/research/sakula-malware-family" + ], + "synonyms": [ + "Sakurel" + ] + }, + "value": "Sakula", + "uuid": "f6c137f0-979c-4ce2-a0e5-2a080a5a1746" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html" + ] + }, + "value": "Hi-ZOR", + "uuid": "e8fbb7b4-2f27-4028-975a-485d4c2dd977" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", + "https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf" + ], + "synonyms": [ + "TROJ_DLLSERV.BE" + ] + }, + "value": "Derusbi", + "uuid": "eff68b97-f36e-4827-ab1a-90523c16774c" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/", + "http://researchcenter.paloaltonetworks.com/2015/06/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/" + ], + "synonyms": [ + "BKDR_HGDER", + "BKDR_EVILOGE", + "BKDR_NVICM", + "Wmonder" + ] + }, + "value": "EvilGrab", + "uuid": "c9b4ec27-0a43-4671-a967-bcac5df0e056" + }, + { + "meta": { + "type": [ + "Dropper" + ], + "refs": [ + "https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid", + "http://telussecuritylabs.com/threats/show/TSL20120614-05" + ], + "synonyms": [ + "Naid", + "Mdmbot.E", + "AGENT.GUNZ", + "AGENT.AQUP.DROPPER", + "AGENT.BMZA", + "MCRAT.A", + "AGENT.ABQMR" + ] + }, + "value": "Trojan.Naid", + "uuid": "170db76b-93f7-4fd1-97fc-55937c079b66" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "http://www.darkreading.com/attacks-breaches/elite-chinese-cyberspy-group-behind-bit9-hack/d/d-id/1140495", + "https://securityledger.com/2013/09/apt-for-hire-symantec-outs-hidden-lynx-hacking-crew/" + ], + "synonyms": [ + "SCAR", + "KillProc.14145" + ] + }, + "description": "Backdoor.Moudoor, a customized version of Gh0st RAT", + "value": "Moudoor", + "uuid": "46fd9884-208c-43c7-8ec3-b9fabce30b30" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/" + ], + "synonyms": [ + "TravNet", + "Netfile" + ] + }, + "description": "APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.", + "value": "NetTraveler", + "uuid": "59b70721-6fed-4805-afa5-4ff2554bef81" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/", + "https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf" + ], + "synonyms": [ + "Etso", + "SUQ", + "Agent.ALQHI" + ] + }, + "description": "APT used As part of Operation SMN, Novetta analyzed recent versions of the Winnti malware. The samples, compiled from mid- to late 2014, exhibited minimal functional changes over the previous generations Kaspersky reported in 2013.", + "value": "Winnti", + "uuid": "9b3a4cff-1c5a-4fd6-b49c-27240b6d622c" + }, + { + "meta": { + "type": [ + "HackTool" + ], + "refs": [ + "https://github.com/gentilkiwi/mimikatz", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" + ], + "synonyms": [ + "Mikatz" + ] + }, + "description": "Ease Credential stealh and replay, A little tool to play with Windows security.", + "value": "Mimikatz", + "uuid": "7f3a035d-d83a-45b8-8111-412aa8ade802" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/gnaegle/cse4990-practical3", + "https://www.securestate.com/blog/2013/02/20/apt-if-it-aint-broke" + ] + }, + "description": "Backdoor attribued to APT1", + "value": "WEBC2", + "uuid": "b5be84b7-bf2c-40d0-85a9-14c040881a98" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + ], + "synonyms": [ + "Badey", + "EXL" + ] + }, + "description": "Symantec has observed Buckeye activity dating back to 2009, involving attacks on various organizations in several regions. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organization\u2019s network in 2009. The group delivered Backdoor.Pirpi through malicious attachments or links in convincing spear-phishing emails.", + "value": "Pirpi", + "uuid": "4859330d-c6a5-4b9c-b45b-536ec983cd4a" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/" + ] + }, + "description": "RARSTONE is a Remote Access Tool (RAT) discovered early 2013 by TrendMicro, it\u2019s characterized by a great affinity with the other RAT know as Plug is and was used in April for phishing campaigns that followed the dramatic attack to the Boston Marathon.", + "value": "RARSTONE", + "uuid": "5d2dd6ad-6bb2-45d3-b295-e125d3399c8d" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://www2.fireeye.com/WEB-2015RPTAPT30.html", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" + ], + "synonyms": [ + "Lecna" + ] + }, + "description": "Backspace is a Backdoor that targets the Windows platform. This malware is reportedly associated with targeted attacks against Association of Southeast Asian Nations (ASEAN) members (APT30).", + "value": "Backspace", + "uuid": "cd6c5f27-cf7e-4529-ae9c-ab5b85102bde" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://kasperskycontenthub.com/securelist/files/2015/05/TheNaikonAPT-MsnMM.pdf" + ] + }, + "description": "Backdoor user by he Naikon APT group", + "value": "XSControl", + "uuid": "2e3712e3-fd7b-43d1-8b4f-2ba7fc551bbb" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "synonyms": [ + "scout", + "norton" + ], + "refs": [ + "https://attack.mitre.org/wiki/Software/S0034", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ] + }, + "description": "NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as Scout and Norton.", + "value": "Neteagle", + "uuid": "0ee08ab5-140c-44c3-9b0a-4a352500b14e" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://blog.gdatasoftware.com/2015/01/23927-evolution-of-sophisticated-spyware-from-agent-btz-to-comrat" + ], + "synonyms": [ + "ComRat" + ] + }, + "description": "In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit.", + "value": "Agent.BTZ", + "uuid": "da079741-05e6-458c-b434-011263dc691c" + }, + { + "description": "RAT bundle with standard VNC (to avoid/limit A/V detection).", + "value": "Heseber BOT", + "uuid": "b1b7e7d8-3778-4783-9cc7-9ec04b146031" + }, + { + "value": "Agent.dne", + "uuid": "93fe1644-a7a6-4e5a-bc3b-88984b251fde" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" + ], + "synonyms": [ + "Tavdig", + "Epic Turla", + "WorldCupSec", + "TadjMakhal" + ] + }, + "description": "Waterbug is the name given to the actors who use the malware tools Trojan.Wipbot (also known as Tavdig and Epic Turla)", + "value": "Wipbot", + "uuid": "36c0faf0-428e-4e7f-93c5-824bb0495ac9" + }, + { + "meta": { + "type": [ + "Backdoor", + "Rootkit" + ], + "refs": [ + "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", + "https://objective-see.com/blog/blog_0x25.html#Snake" + ], + "synonyms": [ + "Snake", + "Uroburos", + "Urouros" + ] + }, + "description": "Family of related sophisticated backdoor software - Name comes from Microsoft detection signature \u2013 anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!", + "value": "Turla", + "uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c" + }, + { + "value": "Winexe", + "uuid": "811bdec0-e236-48ae-b27c-1a8fe0bfc3a9" + }, + { + "description": "RAT initialy identified in 2011 and still actively used.", + "value": "Dark Comet", + "uuid": "9ad11139-e928-45cf-a0b4-937290642e92" + }, + { + "meta": { + "synonyms": [ + "WinSpy" + ] + }, + "value": "Cadelspy", + "uuid": "38d6a0a1-0388-40d4-b8f4-1d58eeb9a07d" + }, + { + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" + ] + }, + "value": "CMStar", + "uuid": "e81b96a2-22e9-445e-88c7-65b67c2299ec" + }, + { + "meta": { + "refs": [ + "https://securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf" + ], + "synonyms": [ + "iRAT" + ] + }, + "value": "DHS2015", + "uuid": "d6420953-0e85-4330-abc2-3a8b9dda046b" + }, + { + "meta": { + "refs": [ + "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf" + ], + "synonyms": [ + "Gh0stRat, GhostRat" + ] + }, + "description": "Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago.", + "value": "Gh0st Rat", + "uuid": "cb8c8253-4024-4cc9-8989-b4a5f95f6c2f" + }, + { + "meta": { + "refs": [ + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf" + ], + "synonyms": [ + "FAKEM" + ] + }, + "description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages). ", + "value": "Fakem RAT", + "uuid": "eead5605-0d79-4942-a6c2-efa6853cdf6b" + }, + { + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/" + ], + "synonyms": [ + "Hupigon", + "BKDR_HUPIGON" + ] + }, + "value": "MFC Huner", + "uuid": "a5a48311-afbf-44c4-8045-46ffd51cd4d0" + }, + { + "meta": { + "refs": [ + "https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-charges-connection", + "https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/" + ] + }, + "description": "Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.", + "value": "Blackshades", + "uuid": "8c3202d5-1671-46ec-9d42-cb50dbe2f667" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "possible_issues": "Report tells that is could be Xagent alias (Java Rat)", + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "synonyms": [ + "webhp", + "SPLM", + "(.v2 fysbis)" + ] + }, + "description": "backdoor used by apt28 ", + "value": "CHOPSTICK", + "uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "possible_issues": "Report tells that is could be Xagent alias (Java Rat)", + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "synonyms": [ + "Sedreco", + "AZZY", + "ADVSTORESHELL", + "NETUI" + ] + }, + "description": "backdoor used by apt28\n\nSedreco serves as a spying backdoor; its functionalities can be extended with dynamically loaded plugins. It is made up of two distinct components: a dropper and the persistent payload installed by this dropper. We have not seen this component since April 2016.", + "value": "EVILTOSS", + "uuid": "6374fc53-9a0d-41ba-b9cf-2a9765d69fbb" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "synonyms": [ + "Sednit", + "Seduploader", + "JHUHUGIT", + "Sofacy" + ] + }, + "description": "backdoor", + "value": "GAMEFISH", + "uuid": "43cd8a09-9c80-48c8-9568-1992433af60a" + }, + { + "meta": { + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "synonyms": [ + "Sofacy" + ] + }, + "description": "downloader - Older version of CORESHELL", + "value": "SOURFACE", + "uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa" + }, + { + "meta": { + "type": [ + "PWS" + ], + "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_sasfis.tl", + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "synonyms": [ + "Sasfis", + "BackDoor-FDU", + "IEChecker" + ] + }, + "description": "credential harvester", + "value": "OLDBAIT", + "uuid": "6d1e2736-d363-49aa-9054-9c9e4ac0c520" + }, + { + "meta": { + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + ], + "synonyms": [ + "Sofacy" + ] + }, + "description": "downloader - Newer version of SOURFACE", + "value": "CORESHELL", + "uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd" + }, + { + "meta": { + "synonyms": [ + "Havex" + ] + }, + "value": "Havex RAT", + "uuid": "d7183f66-59ec-4803-be20-237b442259fc" + }, + { + "meta": { + "refs": [ + "https://www.sentinelone.com/blog/understanding-kjw0rm-malware-we-dive-in-to-the-tv5-cyber-attack/" + ] + }, + "description": "RAT initially written in VB.", + "value": "KjW0rm", + "uuid": "b3f7a454-3b23-4149-99aa-0132323814d0" + }, + { + "value": "TinyTyphon", + "uuid": "1b591586-e1ef-4a32-8dae-791aca5ddf41" + }, + { + "value": "Badnews", + "uuid": "48ca79ff-ea36-4a47-8231-0f7f0db0e09e" + }, + { + "value": "LURK", + "uuid": "fcece2f7-e0ef-44e0-aa9f-578c2a56f532" + }, + { + "value": "Oldrea", + "uuid": "f2e17736-9575-4a91-92ab-bb82bb0bf900" + }, + { + "value": "AmmyAdmin", + "uuid": "d1006b04-3015-49ea-9414-a968a0f74106" + }, + { + "value": "Matryoshka", + "uuid": "cb6c49ab-b9ac-459f-b765-05cbe2e63b0d" + }, + { + "value": "TinyZBot", + "uuid": "e2cc27a2-4146-4f08-8e80-114a99204cea" + }, + { + "value": "GHOLE", + "uuid": "43a0d8a7-558d-4104-8a24-55e6e7a503db" + }, + { + "value": "CWoolger", + "uuid": "005b46a2-9498-473a-bee2-0db91e5fb327" + }, + { + "value": "FireMalv", + "uuid": "6ef11b6e-d81a-465b-9dce-fab5c6fe807b" + }, + { + "meta": { + "synonyms": [ + "Prax", + "WarriorPride" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Regin_(malware)" + ] + }, + "description": "Regin (also known as Prax or WarriorPride) is a sophisticated malware toolkit revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download including malware discovered at Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but that some of the earliest samples date from 2003. The name Regin is first found on the VirusTotal website on 9 March 2011.", + "value": "Regin", + "uuid": "0cf21558-1217-4d36-9536-2919cfd44825" + }, + { + "value": "Duqu", + "uuid": "809b54c3-dd6a-4ec9-8c3a-a27b9baa6732" + }, + { + "value": "Flame", + "uuid": "d7963066-62ed-4494-9b8c-4b8b691a7c82" + }, + { + "value": "Stuxnet", + "uuid": "1b63293f-13f0-4c25-9bf6-6ebc023fc8ff" + }, + { + "value": "EquationLaser", + "uuid": "21f7a57b-7778-4b3e-9b50-5289ae3b445d" + }, + { + "value": "EquationDrug", + "uuid": "3e0c2d35-87cb-40f9-b341-a6c8dbec697e" + }, + { + "value": "DoubleFantasy", + "uuid": "fb8828a4-76de-467d-9f52-528984aa9b8d" + }, + { + "value": "TripleFantasy", + "uuid": "a4cebcc4-9e9b-415f-aa05-dd71c4e288fe" + }, + { + "value": "Fanny", + "uuid": "1e25d254-3f03-4752-b8d6-023a23e7d4ae" + }, + { + "value": "GrayFish", + "uuid": "2407bd9a-a3a4-40c4-86de-be6965243c67" + }, + { + "value": "Babar", + "uuid": "57b221bc-7ed6-4080-bc66-813d17009485" + }, + { + "value": "Bunny", + "uuid": "5589c428-792b-4439-b0db-07862765d96b" + }, + { + "value": "Casper", + "uuid": "63b3e6fb-9bb8-43dc-9cbf-7681b049b5d6" + }, + { + "value": "NBot", + "uuid": "97fa32d6-5d1d-43df-b765-4a0e31d7f179" + }, + { + "value": "Tafacalou", + "uuid": "835943ed-75d7-4225-9075-a8e2b2136fad" + }, + { + "value": "Tdrop", + "uuid": "4d81c146-56e1-45d2-b0e4-75d0acec8102" + }, + { + "value": "Troy", + "uuid": "9825aa1f-6414-4f26-8487-605dd6c718d1" + }, + { + "value": "Tdrop2", + "uuid": "aff99aad-5231-4f14-8e68-67e87fb13b5c" + }, + { + "meta": { + "refs": [ + "http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html" + ], + "synonyms": [ + "Sensode" + ] + }, + "value": "ZXShell", + "uuid": "5b9dc67e-bae4-44f3-b58d-6d842a744104" + }, + { + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" + ] + }, + "value": "T9000", + "uuid": "66575fb4-7f92-42d8-8c47-e68a26413081" + }, + { + "meta": { + "refs": [ + "http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml" + ], + "synonyms": [ + "Plat1" + ] + }, + "value": "T5000", + "uuid": "e957f773-f6d2-410f-8163-5f0c17a7bde2" + }, + { + "meta": { + "refs": [ + "http://www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks" + ] + }, + "value": "Taidoor", + "uuid": "cda7d605-23d0-4f93-a585-1276f094c04a" + }, + { + "meta": { + "refs": [ + "http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/" + ] + }, + "value": "Swisyn", + "uuid": "1688dc7a-0ef9-49a9-a467-5231a5552b41" + }, + { + "meta": { + "refs": [ + "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + ] + }, + "value": "Rekaf", + "uuid": "cfe948c6-b8a6-437a-9d82-d81660e0287b" + }, + { + "value": "Scieron", + "uuid": "267bf78e-f430-47b6-8ba0-1ae31698c711" + }, + { + "meta": { + "refs": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/" + ] + }, + "value": "SkeletonKey", + "uuid": "7709fedd-5083-4b54-bcd8-af3f76f6d171" + }, + { + "meta": { + "refs": [ + "http://labs.alienvault.com/labs/index.php/2011/another-sykipot-sample-likely-targeting-us-federal-agencies/" + ] + }, + "value": "Skyipot", + "uuid": "72e2b7b5-2718-4942-9ca2-17fa6730261f" + }, + { + "meta": { + "refs": [ + "http://www.threatconnect.com/news/threatconnect-enables-healthy-networking-biomed-life-sciences-industry/" + ] + }, + "value": "Spindest", + "uuid": "447735ac-82e4-4c97-b048-56b7e47203ef" + }, + { + "value": "Preshin", + "uuid": "d87326a3-fb94-448c-9615-8ec036c1df3a" + }, + { + "value": "Oficla", + "uuid": "b3ea33fd-eaa0-4bab-9bd0-12534c9aa987" + }, + { + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/" + ] + }, + "value": "PCClient RAT", + "uuid": "f68d2200-cb9d-42de-9e5e-be2a8f674c5e" + }, + { + "value": "Plexor", + "uuid": "8fb00a59-0dec-4d7f-bd53-9826b3929f39" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" + ] + }, + "value": "Mongall", + "uuid": "aa3aa21f-bc4e-4fb6-acd2-f4b6de482dfe" + }, + { + "meta": { + "refs": [ + "http://www.clearskysec.com/dustysky/" + ] + }, + "value": "NeD Worm", + "uuid": "eedcf785-d011-4e17-96c4-6ff39138ada0" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" + ] + }, + "value": "NewCT", + "uuid": "c5e3766c-9527-47c3-94db-f10de2c56248" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" + ] + }, + "value": "Nflog", + "uuid": "b2ec2dca-5d49-4efa-9a9e-75126346d1ed" + }, + { + "meta": { + "refs": [ + "http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/" + ] + }, + "value": "Janicab", + "uuid": "c3c20c4b-e12a-42e5-960a-eea4644014f4" + }, + { + "meta": { + "refs": [ + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf" + ], + "synonyms": [ + "Jiripbot" + ] + }, + "value": "Jripbot", + "uuid": "05e2ccec-7050-47cf-b925-50907f57c639" + }, + { + "meta": { + "refs": [ + "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" + ] + }, + "value": "Jolob", + "uuid": "4d4528ff-6260-4b5d-b2ea-6e11ca02c396" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" + ] + }, + "value": "IsSpace", + "uuid": "b9707a57-d15f-4937-b022-52cc17f6783f" + }, + { + "value": "Emotet", + "meta": { + "refs": [ + "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/" + ], + "synonyms": [ + "Geodo" + ] + }, + "uuid": "3f7616bd-f1de-46ee-87c2-43c0c2edaa28" + }, + { + "meta": { + "synonyms": [ + "Hoarde", + "Phindolp", + "BS2005" + ] + }, + "value": "Hoardy", + "uuid": "25cd01bc-1346-4415-8f8d-d3656309ef6b" + }, + { + "meta": { + "refs": [ + "http://www.secureworks.com/research/threats/htran/" + ] + }, + "value": "Htran", + "uuid": "f3bfe513-2a65-49b5-9d64-a66541dce697" + }, + { + "meta": { + "refs": [ + "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" + ], + "synonyms": [ + "TokenControl" + ] + }, + "value": "HTTPBrowser", + "uuid": "08e2c9ef-aa62-429f-a6e5-e901ff6883cd" + }, + { + "value": "Disgufa", + "uuid": "3a57bb24-b493-4698-bf46-6465c6cf5446" + }, + { + "value": "Elirks", + "uuid": "c0ea7b89-d246-4eb7-8de4-b4e17e135051" + }, + { + "meta": { + "refs": [ + "https://www.circl.lu/pub/tr-13/" + ], + "synonyms": [ + "Ursnif" + ] + }, + "value": "Snifula", + "uuid": "75b01a1e-3269-4f4c-bdba-37af4e9c3f54" + }, + { + "meta": { + "refs": [ + "http://www.cybersquared.com/killing-with-a-borrowed-knife-chaining-core-cloud-service-profile-infrastructure-for-cyber-attacks" + ], + "synonyms": [ + "Yayih", + "mswab", + "Graftor" + ] + }, + "value": "Aumlib", + "uuid": "f3ac3d86-0fa2-4049-bfbc-1970004b8d32" + }, + { + "meta": { + "refs": [ + "http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html" + ] + }, + "value": "CTRat", + "uuid": "f78cfa32-a629-421e-94f7-1e696bba2892" + }, + { + "meta": { + "refs": [ + "http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan" + ], + "synonyms": [ + "Newsripper" + ] + }, + "value": "Emdivi", + "uuid": "a8395aae-1496-417d-98ee-3ecbcd9a94a0" + }, + { + "meta": { + "refs": [ + "www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf" + ], + "synonyms": [ + "Exploz", + "Specfix", + "RIPTIDE" + ] + }, + "value": "Etumbot", + "uuid": "91583583-95c0-444e-8175-483cbebc640b" + }, + { + "meta": { + "synonyms": [ + "Loneagent" + ] + }, + "value": "Fexel", + "uuid": "ba992105-373e-484a-ac81-2464deba93b7" + }, + { + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" + ] + }, + "value": "Fysbis", + "uuid": "bb929d1d-de95-4c3d-be79-55db3152dba1" + }, + { + "meta": { + "refs": [ + "https://blog.bit9.com/2013/02/25/bit9-security-incident-update/" + ] + }, + "value": "Hikit", + "uuid": "06953055-92ed-4936-8ffd-d9d72ab6bef6" + }, + { + "meta": { + "synonyms": [ + "Tordal", + "Chanitor", + "Pony" + ], + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" + ] + }, + "value": "Hancitor", + "uuid": "ff0404a1-465f-4dd5-8b66-ee773628ca64" + }, + { + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" + ] + }, + "value": "Ruckguv", + "uuid": "d70bd6a8-5fd4-42e8-8e39-fb18daeccdb2" + }, + { + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + ] + }, + "value": "HerHer Trojan", + "uuid": "0798f8d2-1099-4122-8735-5a116264d3db" + }, + { + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + ] + }, + "value": "Helminth backdoor", + "uuid": "7bc1110b-fdc5-4501-a19b-e86304da4eb9" + }, + { + "meta": { + "refs": [ + "http://williamshowalter.com/a-universal-windows-bootkit/" + ] + }, + "value": "HDRoot", + "uuid": "d2c1a439-585a-48bc-8176-c0c46dfac270" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html" + ] + }, + "value": "IRONGATE", + "uuid": "5514e486-6158-40d8-b258-047938b8ee20" + }, + { + "meta": { + "refs": [ + "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" + ] + }, + "value": "ShimRAT", + "uuid": "487f26a5-8531-4ec6-bfa4-691834b156b8" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "synonyms": [ + "XAgent" + ], + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/", + "https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", + "https://objective-see.com/blog/blog_0x25.html#XAgent" + ] + }, + "description": "APT28's second-stage persistent macOS backdoor. This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.\n\nXagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration. Xagent is the group\u2019s flagship backdoor and heavily used in their operations. Early versions for Linux and Windows were seen years ago, then in 2015 an iOS version came out. One year later, an Android version was discovered and finally, in the beginning of 2017, an Xagent sample for OS X was described.", + "value": "X-Agent", + "uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c" + }, + { + "meta": { + "synonyms": [ + "XTunnel" + ] + }, + "value": "X-Tunnel", + "uuid": "6d180bd7-3c77-4faf-b98b-dc2ab5f49101" + }, + { + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + ] + }, + "value": "Foozer", + "uuid": "e4137f66-be82-4da7-96e6-e37ab33ea34f" + }, + { + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + ] + }, + "value": "WinIDS", + "uuid": "82875947-fafb-467a-82df-0d2e37111b97" + }, + { + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + ] + }, + "value": "DownRange", + "uuid": "56349213-b73e-4a30-8188-08de1a77b960" + }, + { + "meta": { + "refs": [ + "https://www.arbornetworks.com/blog/asert/mad-max-dga/" + ] + }, + "value": "Mad Max", + "uuid": "d3d56dd0-3409-470a-958b-a865fdd158f9" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ] + }, + "description": "Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims", + "value": "Crimson", + "uuid": "858edfb8-793a-430b-8acc-4310e7d2f0d3" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" + ] + }, + "description": "Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.", + "value": "Prikormka", + "uuid": "67ade442-63f2-4319-bdcd-d2564b963ed6" + }, + { + "meta": { + "refs": [ + "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf" + ] + }, + "description": "This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations.", + "value": "NanHaiShu", + "uuid": "7abd6950-7a07-4d9e-ade1-62414fa50619" + }, + { + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/" + ] + }, + "description": "Umbreon (sharing the same name as the Pok\u00e9mon) targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.", + "value": "Umbreon", + "uuid": "2a18f5dd-40fc-444b-a7c6-85f94b3eee13" + }, + { + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" + ] + }, + "description": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013\u2013Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.", + "value": "Odinaff", + "uuid": "e2fa7aea-fb33-4efc-b61b-ccae71b32e7d" + }, + { + "meta": { + "synonyms": [ + "Houdini" + ], + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/" + ] + }, + "description": "Unit 42 has observed a new version of Hworm (or Houdini) being used within multiple attacks. This blog outlines technical details of this new Hworm version and documents an attack campaign making use of the backdoor. Of the samples used in this attack, the first we observed were June 2016, while as-of publication we were still seeing attacks as recently as mid-October, suggesting that this is likely an active, ongoing campaign.", + "value": "Hworm", + "uuid": "e5f7bb36-c982-4f5a-9b29-ab73d2c5f70e" + }, + { + "meta": { + "synonyms": [ + "Dripion" + ], + "refs": [ + "http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan" + ] + }, + "description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.", + "value": "Backdoor.Dripion", + "uuid": "9dec36a3-b7df-477d-8f38-90aed47ca7cf" + }, + { + "meta": { + "synonyms": [ + "AlienSpy", + "Frutas", + "Unrecom", + "Sockrat", + "JSocket", + "jRat", + "Backdoor:Java/Adwind" + ], + "refs": [ + "https://securelist.com/blog/research/73660/adwind-faq/" + ] + }, + "description": "Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.", + "value": "Adwind", + "uuid": "ab4694d6-7043-41f2-b328-d93bec9c1b22" + }, + { + "value": "Bedep", + "uuid": "066f8ad3-0c99-43eb-990c-8fae2c232f62" + }, + { + "value": "Cromptui", + "uuid": "c4d80484-9486-4d5f-95f3-f40cc2de45ea" + }, + { + "meta": { + "synonyms": [ + "Cridex" + ], + "refs": [ + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf" + ] + }, + "description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.", + "value": "Dridex", + "uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da" + }, + { + "value": "Fareit", + "uuid": "652b5242-b790-4695-ad0e-b79bbf78f351" + }, + { + "value": "Gafgyt", + "uuid": "5fe338c6-723e-43ed-8165-43d95fa93689" + }, + { + "meta": { + "synonyms": [ + "Andromeda" + ], + "refs": [ + "https://blog.gdatasoftware.com/2015/03/24274-the-andromeda-gamarue-botnet-is-on-the-rise-again" + ] + }, + "value": "Gamarue", + "uuid": "b9f00c61-6cd1-4112-a632-c8d3837a7ddd" + }, + { + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Necurs_botnet" + ] + }, + "description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.", + "value": "Necurs", + "uuid": "97d34770-44cc-4ecb-bdce-ba11581c0e2a" + }, + { + "value": "Palevo", + "uuid": "af0ea2b8-97ae-4ec1-a2c5-8f5dd0c9537b" + }, + { + "meta": { + "synonyms": [ + "Qbot", + "Qakbot", + "PinkSlipBot" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Akbot" + ] + }, + "value": "Akbot", + "uuid": "ac2ff27d-a7cb-46fe-ae32-cfe571dc614d" + }, + { + "description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. ", + "value": "Upatre", + "uuid": "99d9110d-85a4-4819-9f85-05e4b73aa5f3" + }, + { + "meta": { + "refs": [ + "https://www.sophos.com/medialibrary/PDFs/technical%20papers/sophos-vawtrak-international-crimeware-as-a-service-tpna.pdf" + ] + }, + "description": "Vawtrak is an information stealing malware family that is primarily used to gain unauthorised access to bank accounts through online banking websites.", + "value": "Vawtrak", + "uuid": "e95dd1ba-7485-4c02-bf2e-14beedbcf053" + }, + { + "meta": { + "refs": [ + "https://github.com/adaptivethreat/Empire" + ] + }, + "description": "Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework", + "value": "Empire", + "uuid": "525ce93a-76a1-441a-9c45-0eac64d0ed12" + }, + { + "meta": { + "refs": [ + "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" + ] + }, + "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. ", + "value": "Explosive", + "uuid": "0155c3b1-8c7c-4176-aeda-68678dd99992" + }, + { + "meta": { + "refs": [ + "https://citizenlab.org/2016/11/parliament-keyboy/", + "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india" + ] + }, + "description": "The actors used a new version of \u201cKeyBoy,\u201d a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data", + "value": "KeyBoy", + "uuid": "74167065-90b3-4c29-807a-79b6f098e45b" + }, + { + "meta": { + "synonyms": [ + "W32/Seeav" + ], + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ] + }, + "description": "The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware...", + "value": "Yahoyah", + "uuid": "2a16a1d4-a098-4f17-80f3-3cfc6c60b539" + }, + { + "description": "Delphi RAT used by Sofacy.", + "value": "Tartine", + "uuid": "67f0b6cb-a484-4b8c-aacb-88a7238568b0" + }, + { + "meta": { + "synonyms": [ + "Linux/Mirai" + ], + "refs": [ + "https://en.wikipedia.org/wiki/Mirai_(malware)" + ] + }, + "description": "Mirai (Japanese for \"the future\") is malware that turns computer systems running Linux into remotely controlled \"bots\", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH and the October 2016 Dyn cyberattack.", + "value": "Mirai", + "uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5" + }, + { + "value": "Masuta", + "description": "IoT malware based on Mirai but slightly improved.", + "meta": { + "refs": [ + "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7" + ], + "synonyms": [ + "PureMasuta" + ] + }, + "uuid": "1d4dec2c-915a-4fef-ba7a-633421bd0848" + }, + { + "value": "BASHLITE", + "uuid": "55f8fb60-6339-4bc2-baa0-41e698e11f95" + }, + { + "meta": { + "refs": [ + "https://www.virusbulletin.com/conference/vb2014/abstracts/back-blackenergy-2014-targeted-attacks-ukraine-and-poland/" + ] + }, + "description": "BlackEnergy is a trojan which has undergone significant functional changes since it was first publicly analysed by Arbor Networks in 2007. It has evolved from a relatively simple DDoS trojan into a relatively sophisticated piece of modern malware with a modular architecture, making it a suitable tool for sending spam and for online bank fraud, as well as for targeted attacks. BlackEnergy version 2, which featured rootkit techniques, was documented by SecureWorks in 2010. The targeted attacks recently discovered are proof that the trojan is still alive and kicking in 2014. We provide a technical analysis of the BlackEnergy family, focusing on novel functionality and the differences introduced by new lite variants. We describe the most notable aspects of the malware, including its techniques for bypassing UAC, defeating the signed driver requirement in Windows and a selection of BlackEnergy2 plug-ins used for parasitic file infections, network discovery and remote code execution and data collection.", + "value": "BlackEnergy", + "uuid": "5a22cad7-65fa-4b7a-a7aa-7915a6101efa" + }, + { + "meta": { + "synonyms": [ + "Seaduke" + ], + "refs": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2015-031915-4935-99" + ] + }, + "description": "Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.", + "value": "Trojan.Seaduke", + "uuid": "3449215f-2650-48bb-a4fb-6549654cbccc" + }, + { + "value": "Backdoor.Tinybaron", + "uuid": "2b6b35fb-2ed4-46ce-b603-62ca2b9b2812" + }, + { + "value": "Incognito RAT", + "uuid": "307803df-6537-4e4d-a1c8-f219f278e564" + }, + { + "meta": { + "synonyms": [ + "Carberplike" + ], + "refs": [ + "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", + "https://twitter.com/Timo_Steffens/status/814781584536719360" + ] + }, + "value": "DownRage", + "uuid": "ab5c4362-c369-4c78-985d-04ba1226ea32" + }, + { + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan" + ] + }, + "value": "Chthonic", + "uuid": "783f61a1-8210-4145-b801-53f71b909ebf" + }, + { + "value": "GeminiDuke", + "description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.", + "meta": { + "refs": [ + "https://attack.mitre.org/wiki/Software/S0049" + ] + }, + "uuid": "6a28a648-30c0-4d1d-bd67-81a8dc6486ba" + }, + { + "value": "Zeus", + "description": "Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. The Trojan is created using a Trojan-building toolkit.", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Zeus_(malware)", + "https://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99" + ], + "synonyms": [ + "Trojan.Zbot", + "Zbot" + ] + }, + "uuid": "0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7" + }, + { + "value": "Shifu", + "description": "Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" + ], + "derivated_from": [ + "Shiz" + ] + }, + "uuid": "67d712c8-d254-4820-83fa-9a892b87923b" + }, + { + "value": "Shiz", + "description": "The new variant of the Shiz Trojan malware targets mission-critical enterprise resource planning (ERP) applications \u2014 particularly SAP users. ", + "meta": { + "refs": [ + "https://securityintelligence.com/tag/shiz-trojan-malware/" + ] + }, + "uuid": "e6085ce0-af6d-41f7-8bcb-7f2eed246941" + }, + { + "value": "MM Core", + "description": "Also known as \u201cBaneChant\u201d, MM Core is a file-less APT which is executed in memory by a downloader component. It was first reported in 2013 under the version number \u201c2.0-LNK\u201d where it used the tag \u201cBaneChant\u201d in its command-and-control (C2) network request. A second version \u201c2.1-LNK\u201d with the network tag \u201cStrangeLove\u201d was discovered shortly after.", + "meta": { + "refs": [ + "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" + ], + "synonyms": [ + "MM Core backdoor", + "BigBoss", + "SillyGoose", + "BaneChant", + "StrangeLove" + ] + }, + "uuid": "74bd8c09-73d5-4ad8-ab1f-e94a4853c936" + }, + { + "value": "Shamoon", + "description": "Shamoon,[a] also known as Disttrack, is a modular computer virus discovered by Seculert[1] in 2012, targeting recent NT kernel-based versions of Microsoft Windows. The virus has been used for cyber espionage in the energy sector.[2][3][4] Its discovery was announced on 16 August 2012 by Symantec,[3] Kaspersky Lab,[5] and Seculert.[6] Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware.[5][6]", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Shamoon" + ] + }, + "uuid": "776b1849-8d5b-4762-8ba1-cbbaddb4ce3a" + }, + { + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/" + ] + }, + "description": "According to MalwareHunterTeam and other researchers that have looked at the malware's source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.", + "value": "GhostAdmin", + "uuid": "a68f1b43-c742-4f90-974d-2e74ec703e44" + }, + { + "meta": { + "country": "IT", + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/" + ] + }, + "description": "Two Italians referred to as the \u201cOcchionero brothers\u201d have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called \u201cEyePyramid\u201d, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)", + "value": "EyePyramid Malware", + "uuid": "52c2499f-c74f-4bab-bad2-c278e798654c" + }, + { + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/" + ] + }, + "description": "LuminosityLink is a malware family costing $40 that purports to be a system administration utility", + "value": "LuminosityLink", + "uuid": "f586d3e4-39fc-489a-808b-03f590bfe092" + }, + { + "meta": { + "synonyms": [ + "Floki Bot", + "Floki" + ], + "refs": [ + "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/" + ] + }, + "description": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.", + "value": "Flokibot", + "uuid": "8034978b-3a32-4662-b1bf-b525e59e469f" + }, + { + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + ] + }, + "description": "Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.", + "value": "ZeroT", + "uuid": "ff00fa92-b32e-46b6-88ca-98357ebe3f54" + }, + { + "meta": { + "refs": [ + "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" + ] + }, + "description": "Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples \u2018stream\u2019, combined with the dropper functionality to append \u2018ex\u2019 to the DLL file name. The StreamEx family has the ability to access and modify the user\u2019s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild. ", + "value": "StreamEx", + "uuid": "9991ace8-1a62-498c-a9ef-19d474deb505" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "adzok", + "uuid": "d08201b8-9774-41a1-abdb-c7f3828139b0" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "albertino", + "uuid": "18c31de5-41b3-4a92-a6ee-23b74cc2797d" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "arcom", + "uuid": "00dcba51-126f-4758-8273-9770ddf9031c" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "blacknix", + "uuid": "0a5d5825-0ab9-48ff-a5d9-b6b131b65833" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "bluebanana", + "uuid": "df7deaa3-2a2c-4460-8674-20ec24e89fba" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "bozok", + "uuid": "cff2e174-52b8-4304-903a-012f97d70b7c" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "clientmesh", + "uuid": "26785174-0b89-4cec-9ed0-5a72a0ff4c49" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "cybergate", + "uuid": "f6e6540e-c21f-4202-ac46-185e735215db" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "darkcomet", + "uuid": "15949ecb-1f2b-4f59-9cf7-5751694e8fba" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "darkrat", + "uuid": "c9e6e42a-65c0-418e-ab77-09bcdb1214a3" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "gh0st", + "uuid": "1b1ae63f-bcee-4aba-8994-6c60cee5e16f" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "greame", + "uuid": "43e400b3-918b-4a2c-9a69-7166c81a835b" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "hawkeye", + "uuid": "3edd9d1b-e15d-4411-a67f-01e04701e95d" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "javadropper", + "uuid": "3a80cc5e-ae91-4aa4-aa2b-8f538861acbe" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "lostdoor", + "uuid": "3fcebce8-fb31-4edb-ae88-7fb0d90d440c" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "luxnet", + "uuid": "df6ccb07-a26c-427a-9d93-5fed2609a1d4" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "pandora", + "uuid": "2c215062-5739-4859-bd82-9639ae1d1756" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "poisonivy", + "uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "predatorpain", + "uuid": "6762975d-ddbc-4871-ab14-4796c9f38307" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "punisher", + "uuid": "0d8d212a-d327-406e-8954-5b20158a9966" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "qrat", + "uuid": "c3a784ee-cef7-4604-a5ba-ec7b193a5152" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "shadowtech", + "uuid": "d5e53ee4-1114-4801-83c9-58c633049aff" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "smallnet", + "uuid": "73ee15e9-ffb3-496d-ae65-fad50e675bdd" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "spygate", + "uuid": "408ff7f3-f30c-481f-a3e7-2c69b375f7d9" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "template", + "uuid": "244be9e7-4f68-4fd8-9abd-ee6ca591aa00" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "tapaoux", + "uuid": "b7b4c682-090b-4da2-abc2-541fd3157579" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "vantom", + "uuid": "aba90e76-ce56-4660-a498-90eeb1f0195b" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "virusrat", + "uuid": "aa054c62-3595-4c65-97ee-209029cc6004" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "xena", + "uuid": "87596188-4c1f-494c-8713-21d5fa062580" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "xtreme", + "uuid": "2d4e2910-4b25-4562-ad88-b35dd678a117" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "darkddoser", + "uuid": "505629dc-6b81-424e-a452-164629a7a66f" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "jspy", + "uuid": "8abd10df-2c31-4895-8ec1-270603078f47" + }, + { + "meta": { + "type": [ + "Backdoor" + ], + "refs": [ + "https://github.com/kevthehermit/RATDecoders" + ] + }, + "description": "Remote Access Trojan", + "value": "xrat", + "uuid": "c76e2ee8-52d1-4a55-81df-5542d232ca32" + }, + { + "meta": { + "refs": [ + "https://github.com/n1nj4sec/pupy" + ] + }, + "description": "Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.", + "value": "PupyRAT", + "uuid": "4d6dec19-b0bc-4698-87ed-272823c45d95" + }, + { + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/elf_imeij.a" + ] + }, + "description": "Linux Arm malware spread via RFIs in cgi-bin scripts. This backdoor executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.", + "value": "ELF_IMEIJ", + "uuid": "acb6ae45-d4e2-48a1-ab72-86e72004c27a" + }, + { + "meta": { + "refs": [ + "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor" + ] + }, + "description": "KHRAT is a small backdoor that has three exports (functions), namely, K1, K2, and K3. K1 checks if the current user is an administrator. If not, it uninstalls itself by calling the K2 function.", + "value": "KHRAT", + "uuid": "72b702d9-43c3-40b9-b004-8d0671225fb8" + }, + { + "meta": { + "refs": [ + "http://www.enigmasoftware.com/trochilusrat-removal/" + ] + }, + "description": "The Trochilus RAT is a threatening RAT (Remote Access Trojan) that may evade many anti-virus programs. The Trochilus RAT is currently being used as part of an extended threat campaign in South East Asia. The first appearance of the Trochilus RAT in this campaign, which has been active since August of 2015, was first detected in the summer of 2015. The Trochilus RAT is currently being used against civil society organizations and government computers in the South East Asia region, particularly in attacks directed towards the government of Myanmar.", + "value": "Trochilus", + "uuid": "5e15e4ca-0e04-4af1-ab2a-779dbcad545d" + }, + { + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" + ] + }, + "description": "The MoonWind sample used for this analysis was compiled with a Chinese compiler known as BlackMoon, the same compiler used for the BlackMoon banking Trojan. While a number of attributes match the BlackMoon banking Trojan, the malware is not the same. Both malware families were simply compiled using the same compiler, and it was the BlackMoon artifacts that resulted in the naming of the BlackMoon banking Trojan. But because this new sample is different from the BlackMoon banking Trojan,", + "value": "MoonWind", + "uuid": "76ec1827-68a1-488f-9899-2b788ea8db64" + }, + { + "description": "Chrysaor is spyware believed to be created by NSO Group Technologies, specializing in the creation and sale of software and infrastructure for targeted attacks. Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS and analyzed by Citizen Lab and Lookout.", + "value": "Chrysaor", + "meta": { + "refs": [ + "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" + ], + "synonyms": [ + "Pegasus", + "Pegasus spyware" + ] + }, + "uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8" + }, + { + "meta": { + "refs": [ + "http://virusradar.com/en/Win32_Sathurbot.A/description", + "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/" + ] + }, + "description": "The trojan serves as a backdoor. It can be controlled remotely.", + "value": "Sathurbot", + "uuid": "35849d8f-5bac-475b-82f8-7d555f37de12" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The AURIGA malware family shares a large amount of functionality with the BANGAT backdoor. The malware family contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine. The AURIGA malware contains a driver component which is used to inject the malware DLL into other processes. This driver can also perform process and IP connection hiding. The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the \"Microsoft corp\" strings in the cmd.exe binary with different values. The malware family typically maintains persistence through installing itself as a service.", + "value": "AURIGA", + "uuid": "316c87d4-4404-42ab-9887-f9e321aed93c" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The BANGAT malware family shares a large amount of functionality with the AURIGA backdoor. The malware family contains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine. In addition, the malware also implements a custom VNC like protocol which sends screenshots of the desktop to the C2 server and accepts keyboard and mouse input. The malware communicates to its C2 servers using SSL, with self signed SSL certificates. The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the \"Microsoft corp\" strings in the cmd.exe binary with different values. The malware family typically maintains persistence through installing itself as a service.", + "value": "BANGAT", + "uuid": "fa9b2176-1248-4d59-8da2-c31c7501a81d" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "BISCUIT provides attackers with full access to an infected host. BISCUIT capabilities include launching an interactive command shell, enumerating servers on a Windows network, enumerating and manipulating process, and transferring files. BISCUIT communicates using a custom protocol, which is then encrypted using SSL. Once installed BISCUIT will attempt to beacon to its command/control servers approximately every 10 or 30 minutes. It will beacon its primary server first, followed by a secondary server. All communication is encrypted with SSL (OpenSSL 0.9.8i).", + "value": "BISCUIT", + "uuid": "f1e05a12-ca50-41ab-a963-d7df5bcb141d" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "BOUNCER will load an extracted DLL into memory, and then will call the DLL's dump export. The dump export is called with the parameters passed via the command line to the BOUNCER executable. It requires at least two arguments, the IP and port to send the password dump information. It can accept at most five arguments, including a proxy IP, port and an x.509 key for SSL authentication. The DLL backdoor has the capability to execute arbitrary commands, collect database and server information, brute force SQL login credentials, launch arbitrary programs, create processes and threads, delete files, and redirect network traffic.", + "value": "BOUNCER", + "uuid": "52d9a474-fc37-48b5-8e39-4394194b9573" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "This family of malware uses Google Calendar to retrieve commands and send results. It retrieves event feeds associated with Google Calendar, where each event contains commands from the attacker for the malware to perform. Results are posted back to the event feed. The malware authenticates with Google using the hard coded email address and passwords. The malware uses the deprecated ClientLogin authentication API from Google. The malware is registered as a service dll as a persistence mechanism. Artifacts of this may be found in the registry.", + "value": "CALENDAR", + "uuid": "e2c18713-0a95-4092-a0e9-76358512daad" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The COMBOS malware family is an HTTP based backdoor. The backdoor is capable of file upload, file download, spawning a interactive reverse shell, and terminating its own process. The backdoor may decrypt stored Internet Explorer credentials from the local system and transmit the credentials to the C2 server. The COMBOS malware family does not have any persistence mechanisms built into itself.", + "value": "COMBOS", + "uuid": "fa38b79c-9774-45a0-831c-24c6c8d39a22" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ], + "synonyms": [ + "TROJAN.COOKIES" + ] + }, + "description": "his family of malware is a backdoor capable of file upload and download as well as providing remote interactive shell access to the compromised machine. Communication with the Command & Control (C2) servers uses a combination of single-byte XOR and Base64 encoded data in the Cookie and Set-Cookie HTTP header fields. Communication with the C2 servers is over port 80. Some variants install a registry key as means of a persistence mechanism. The hardcoded strings cited include a string of a command in common with several other APT1 families.", + "value": "COOKIEBAG", + "uuid": "63be3d30-0c8d-4c0a-8eee-6c96880734cb" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "Members of this malware family are backdoors that provide file downloading, process listing, process killing, and reverse shell capabilities. This malware may also add itself to the Authorized Applications list for the Windows Firewall.", + "value": "DAIRY", + "uuid": "2a56538f-7c21-44b3-b438-5baa025ed005" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "Members of this family of malware are utilities designed to extract email messages and attachments from Outlook PST files. One part of this utility set is an executable, one is a dll. The malware may create a registry artifact related to the executable.", + "value": "GETMAIL", + "uuid": "5abd7dee-cca1-4bee-9b82-da3f9be2970b" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "This family of malware is a utility designed to upload files to Google Docs. Nearly all communications are with docs.google.com are SSL encrypted. The malware does not use Google's published API to interact with their services. The malware does not currently work with Google Docs. It does not detect HTTP 302 redirections and will get caught in an infinite loop attempting to parse results from Google that are not present.", + "value": "GDOCUPLOAD", + "uuid": "4bb4320f-9379-43ba-ba8c-09dfece39000" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ], + "synonyms": [ + "TROJAN.GTALK" + ] + }, + "description": "GLOOXMAIL communicates with Google's Jabber/XMPP servers and authenticates with a hard-coded username and password. The malware can accept commands over XMPP that includes file upload and download, provide a remote shell, sending process listings, and terminating specified processes. The malware makes extensive use of the open source gloox library (http://camaya.net/gloox/, version 0.9.9.12) to communicate using the Jabber/XMPP protocol. All communications with the Google XMPP server are encrypted.", + "value": "GLOOXMAIL", + "uuid": "a379f09b-5cec-4bdb-9735-125cef2de073" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ], + "synonyms": [ + "TROJAN.FOXY" + ] + }, + "description": "A family of downloader malware, that retrieves an encoded payload from a fixed location, usually in the form of a file with the .jpg extension. Some variants have just an .exe that acts as a downloader, others have an .exe launcher that runs as a service and then loads an associated .dll of the same name that acts as the downloader. This IOC is targeted at the downloaders only. After downloading the file, the malware decodes the downloaded payload into an .exe file and launches it. The malware usually stages the files it uses in the %TEMP% directory or the %WINDIR%\\Temp directory.", + "value": "GOGGLES", + "uuid": "4bc55eb3-7c92-4668-a75a-d5e291387613" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "Members of this family are full featured backdoors that communicates with a Web-based Command & Control (C2) server over SSL. Features include interactive shell, gathering system info, uploading and downloading files, and creating and killing processes, Malware in this family usually communicates with a hard-coded domain using SSL on port 443. Some members of this family rely on launchers to establish persistence mechanism for them. Others contains functionality that allows it to install itself, replacing an existing Windows service, and uninstall itself. Several variants use %SystemRoot%\\Tasks or %WinDir%\\Tasks as working directories, additional malware artifacts may be found there.", + "value": "GREENCAT", + "uuid": "21a1d15c-acdd-49d1-aa8e-8d5b311024f0" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": " This family of malware is a backdoor that provides reverse shell, process creation, system statistics collection, process enumeration, and process termination capabilities. This family is designed to be a service DLL and does not contain an installation mechanism. It usually communicates over port 443. Some variants use their own encryption, others use SSL.", + "value": "HACKFASE", + "uuid": "aef3e40b-d295-4663-a2d0-585512b3ae44" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": " This family of malware is designed to operate as a service and provides remote command execution and file transfer capabilities to a fixed IP address or domain name. All communication with the C2 server happens over port 443 using SSL. This family can be installed as a service DLL. Some variants allow for uninstallation.", + "value": "HELAUTO", + "uuid": "7c05c816-481f-499e-9545-d48b635dc2eb" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "This family of malware is a backdoor that tunnels its connection through a preconfigured proxy. The malware communicates with a remote command and control server over HTTPS via the proxy. The malware installs itself as a Windows service with a service name supplied by the attacker but defaults to IPRIP if no service name is provided during install.", + "value": "KURTON", + "uuid": "616c7c32-110e-4bb3-8e99-4c2aeb8f8272" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "LIGHTBOLT is a utility with the ability to perform HTTP GET requests for a list of user-specified URLs. The responses of the HTTP requests are then saved as MHTML files, which are added to encrypted RAR files. LIGHTBOLT has the ability to use software certificates for authentication.", + "value": "LIGHTBOLT", + "uuid": "57e43779-0665-427c-abcb-997c1c0ced8d" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "LIGHTDART is a tool used to access a pre-configured web page that hosts an interface to query a database or data set. The tool then downloads the results of a query against that web page to an encrypted RAR file. This RAR file (1.rar) is renamed and uploaded to an attacker controlled FTP server, or uploaded via an HTTP POST with a .jpg extension. The malware will execute this search once a day. The target webpage usually contains information useful to the attacker, which is updated on a regular basis. Examples of targeted information include weather information or ship coordinates.", + "value": "LIGHTDART", + "uuid": "986f6b0f-51f8-4f83-bb38-8354a83a7f32" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "LONGRUN is a backdoor designed to communicate with a hard-coded IP address and provide the attackers with a custom interactive shell. It supports file uploads and downloads, and executing arbitrary commands on the compromised machine. When LONGRUN executes, it first loads configuration data stored as an obfuscated string inside the PE resource section. The distinctive string thequickbrownfxjmpsvalzydg is used as part of the input to the decoding algorithm. When the configuration data string is decoded it is parsed and treated as an IP and port number. The malware then connects to the host and begins interacting with it over a custom protocol.", + "value": "LONGRUN", + "uuid": "5a2fc164-f6cf-4528-b85f-f2319545c8ad" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "This family of malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files. This IOC looks for both the dropper file and the backdoor.", + "value": "MANITSME", + "uuid": "25db921d-d753-4fb1-b51b-961d7fdae6f4" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html", + "http://contagiodump.blogspot.com/2010/06/these-days-i-see-spike-in-number-of.html" + ] + }, + "description": "This malware utility is a set of two files that operate in conjunction to extract email messages and attachments from an Exchange server. In order to operate successfully, these programs require authentication credentials for a user on the Exchange server, and must be run from a machine joined to the domain that has Microsoft Outlook installed (or equivalent software that provides the Microsoft 'Messaging API' (MAPI) service).", + "value": "MAPIGET", + "uuid": "bf08965f-03a5-4cf6-83fb-8d3c9e9398ee" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "This family of malware consists of backdoors that attempt to fetch encoded commands over HTTP. The malware is capable of downloading a file, downloading and executing a file, executing arbitrary shell commands, or sleeping a specified interval.", + "value": "MINIASP", + "uuid": "ea9c7068-1c28-4826-a7d1-7ac04760e5c9" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The NEWSREELS malware family is an HTTP based backdoor. When first started, NEWSREELS decodes two strings from its resources section. These strings are both used as C2 channels, one URL is used as a beacon URL (transmitting) and the second URL is used to get commands (receiving). The NEWSREELS malware family is capable of performing file uploads, downloads, creating processes or creating an interactive reverse shell.", + "value": "NEWSREELS", + "uuid": "5abc6792-be17-48ee-a765-29cffa4242ee" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The SEASALT malware family communicates via a custom binary protocol. It is capable of gathering some basic system information, file system manipulation, file upload and download, process creation and termination, and spawning an interactive reverse shell. The malware maintains persistence by installing itself as a service.", + "value": "SEASALT", + "uuid": "7429aaf8-85a8-4ae9-b583-c7eec0f5b0cb" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "STARSYPOUND provides an interactive remote shell over an obfuscated communications channel. When it is first run, it loads a string (from the executable PE resource section) containing the beacon IP address and port. The malware sends the beacon string \"*(SY)# \" to the remote system, where is the hostname of the victim system. The remote host responds with a packet that also begins with the string \"*(SY)# cmd\". This causes the malware to launch a new cmd.exe child process. Further communications are forwarded to the cmd.exe child process to execute. The commands sent to the shell and their responses are obfuscated when sent over the network.", + "value": "STARSYPOUND", + "uuid": "d0220108-48d7-4056-babc-189048f37a59" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "This family of malware provides a backdoor over the network to the attackers. It is configured to connect to a single host and offers file download over HTTP, program execution, and arbitrary execution of commands through a cmd.exe instance.", + "value": "SWORD", + "uuid": "96fb29fa-7c3a-4124-baf5-cc5f99b2a05f" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ], + "synonyms": [ + "TROJAN LETSGO" + ] + }, + "description": " This malware family is a full-featured backdoor capable of file uploading and downloading, arbitrary execution of programs, and providing a remote interactive command shell. All communications with the C2 server are sent over HTTP to a static URL, appending various URL parameters to the request. Some variants use a slightly different URL.", + "value": "TABMSGSQL", + "uuid": "d5a4cbe7-81c9-4a52-80ee-07ca3f625844" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers. Typical TARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address. The capability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process enumeration, process creation, process termination. The TARSIP-ECLIPSE family is distinguished by the presence of 'eclipse' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain persistence.", + "value": "TARSIP-ECLIPSE", + "uuid": "049590f1-3f3a-4670-a341-d6d29fbb123f" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers. Typical TARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address. The capability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process enumeration, process creation, process termination. The TARSIP-MOON family is distinguished by the presence of 'moon' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain persistence.", + "value": "TARSIP-MOON", + "uuid": "dbce78ac-5729-4bd1-b7c0-6bc0344564bc" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The WARP malware family is an HTTP based backdoor written in C++, and the majority of its code base is borrowed from source code available in the public domain. Network communications are implemented using the same WWW client library (w3c.cpp) available from www.dankrusi.com/file_69653F3336383837.html. The malware has system survey functionality (collects hostname, current user, system uptime, CPU speed, etc.) taken directly from the BO2K backdoor available from www.bo2k.com. It also contains the hard disk identification code found at www.winsim.com/diskid32/diskid32.cpp. When the WARP executing remote commands, the malware creates a copy of the ?%SYSTEMROOT%\\system32\\cmd.exe? file as '%USERPROFILE%\\Temp\\~ISUN32.EXE'. The version signature information of the duplicate executable is zeroed out. Some WARP variants maintain persistence through the use of DLL search order hijacking.", + "value": "WARP", + "uuid": "29917fb3-6c56-4659-a203-5885c4a8e70f" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is capable of downloading and executing a file. All variants represented here are the same file with different MD5 signatures. This malware attempts to contact its C2 once a week (Thursday at 10:00 AM). It looks for commands inside a set of HTML tags, part of which are in the File Strings indicator term below.", + "value": "WEBC2-ADSPACE", + "uuid": "2d8043b4-48ef-4992-a04a-c342cbbb4f87" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware family is a only a downloader which operates over the HTTP protocol with a hard-coded URL. If directed, it has the capability to download, decompress, and execute compressed binaries.", + "value": "WEBC2-AUSOV", + "uuid": "e2a27431-28ea-42e3-a0cc-72f29828c292" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": " A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is a backdoor capable of downloading files and updating its configuration. Communication with the command and control (C2) server uses a combination of single-byte XOR and Base64 encoded data wrapped in standard HTML tags. The malware family installs a registry key as a persistence mechanism.", + "value": "WEBC2-BOLID", + "uuid": "a601e1b0-c0bc-4665-9639-4dc5e588520c" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The family of malware provides the attacker with an interactive command shell, the ability to upload and download files, execute commands on the system, list processes and DLLs, kill processes, and ping hosts on the local network. Responses to these commands are encrypted and compressed before being POSTed to the server. Some variants copy cmd.exe to Updatasched.exe in a temporary directory, and then may launch that in a process if an interactive shell is called. On initial invocation, the malware also attempts to delete previous copies of the Updatasched.exe file.", + "value": "WEBC2-CLOVER", + "uuid": "d7fa0245-2cff-475f-9d8c-3728c83ac194" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of malware act only as downloaders and droppers for other malware. They communicate with a hard-coded C2 server, reading commands embedded in HTML comment fields. Some variants are executables which act upon execution, others are DLLs which can be attached to services or loaded through search order hijacking.", + "value": "WEBC2-CSON", + "uuid": "950a8038-eeec-44a0-b3db-a557e5796416" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-DIV variant searches for the strings \"div safe:\" and \" balance\" to delimit encoded C2 information. If the decoded string begins with the letter \"J\" the malware will parse additional arguments in the decoded string to specify the sleep interval to use. WEBC2-DIV is capable of downloading a file, downloading and executing a file, or sleeping a specified interval.", + "value": "WEBC2-DIV", + "uuid": "54be66ea-fd26-4f25-b4af-d10d16fa919f" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware is a variant on the GREENCAT family, using a fixed web C2. This family is a full featured backdoor which provides remote command execution, file transfer, process and service enumeration and manipulation. It installs itself persistently through the current user's registry Run key.", + "value": "WEBC2-GREENCAT", + "uuid": "bfe69071-17bf-466f-97fd-669b72053137" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-HEAD variant communicates over HTTPS, using the system's SSL implementation to encrypt all communications with the C2 server. WEBC2-HEAD first issues an HTTP GET to the host, sending the Base64-encoded string containing the name of the compromised machine running the malware.", + "value": "WEBC2-HEAD", + "uuid": "4ef97a7e-5686-44cb-ad91-7a393f32f39b" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-KT3 variant searches for commands in a specific comment tag. Network traffic starting with *!Kt3+v| may indicate WEBC2-KT3 activity.", + "value": "WEBC2-KT3", + "uuid": "e2afc267-9674-4ca3-807f-47678fb40da4" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-QBP variant will search for two strings in a HTML comment. The first will be \"2010QBP \" followed by \" 2010QBP//--\". Inside these tags will be a DES-encrypted string. ", + "value": "WEBC2-QBP", + "uuid": "84f3bacf-abd5-445e-a98a-5b02f1eaac92" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware will set itself up as a service and connect out to a hardcoded web page and read a modified base64 string from this webpage. The later versions of this malware supports three commands (earlier ones are just downloaders or reverse shells). The first commands will sleep the malware for N number of hours. The second command will download a binary from the encoded HTML comment and execute it on the infected host. The third will spawn an encoded reverse shell to an attacker specified location and port.", + "value": "WEBC2-RAVE", + "uuid": "9e36feee-e7d2-400a-960e-5f2bd6ac0c15" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-TABLE variant looks for web pages containing 'background', 'align', and 'bgcolor' tags to be present in the requested Web page. If the data in these tags are formatted correctly, the malware will decode a second URL and a filename. This URL is then retrieved, written to the decoded filename and executed.", + "value": "WEBC2-TABLE", + "uuid": "269fee27-f275-44e9-a0db-bebf14d2f83c" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-TABLE variant looks for web pages containing 'background', 'align', and 'bgcolor' tags to be present in the requested Web page. If the data in these tags are formatted correctly, the malware will decode a second URL and a filename. This URL is then retrieved, written to the decoded filename and executed.", + "value": "WEBC2-TOCK", + "uuid": "3213c61f-100c-4174-b50b-c7e256ae5474" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of malware provide remote command shell and remote file download and execution capabilities. The malware downloads a web page containing a crafted HTML comment that subsequently contains an encoded command. The contents of this command tell the malware whether to download and execute a program, launch a reverse shell to a specific host and port number, or to sleep for a period of time. ", + "value": "WEBC2-UGX", + "uuid": "d155c213-02bd-4992-a410-a541a1c1eb40" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of backdoor malware talk to specific Web-based Command & Control (C2) servers. The backdoor has a limited command set, depending on version. It is primarily a downloader, but it classified as a backdoor because it can accept a limited command set, including changing local directories, downloading and executing additional files, sleeping, and connecting to a specific IP & port not initially included in the instruction set for the malware. Each version of the malware has at least one hardcoded URL to which it connects to receive its initial commands. This family of malware installs itself as a service, with the malware either being the executable run by the service, or the service DLL loaded by a legitimate service. The same core code is seen recompiled on different dates or with different names, but the same functionality. Key signatures include a specific set of functions (some of which can be used with the OS-provided rundll32.exe tool to install the malware as a service), and hardcoded strings used in communication with C2 servers to issue commands to the implant.", + "value": "WEBC2-Y21K", + "uuid": "215f6352-324f-4735-9fda-ffec0daaa2d2" + }, + { + "meta": { + "refs": [ + "http://contagiodump.blogspot.lu/2013/03/mandiant-apt1-samples-categorized-by.html" + ] + }, + "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-YAHOO variant enters a loop where every ten minutes it attempts to download a web page that may contain an encoded URL. The encoded URL will be found in the pages returned inside an attribute named 'sb' or 'ex' within a tag named 'yahoo'. The embedded link can direct the malware to download and execute files.", + "value": "WEBC2-YAHOO", + "uuid": "d49f372e-c4ee-47bd-bc98-e3877fabaf9e" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" + ] + }, + "description": "HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the system\u2019s default User-Agent string.", + "value": "HAYMAKER", + "uuid": "d71604d2-a17e-4b4e-82be-19cb54f93161" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" + ] + }, + "description": "BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell.", + "value": "BUGJUICE", + "uuid": "90124cc8-1205-4e63-83ad-5c45a110b1e6" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" + ] + }, + "description": "SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. The malware\u2019s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell. Persistence is maintained through a Run registry key.", + "value": "SNUGRIDE", + "uuid": "6a42aa10-5b7e-43b0-8c58-414cdaeda453" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" + ] + }, + "description": "QUASARRAT is an open-source RAT available at https://github.com/quasar/QuasarRat . The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past.", + "value": "QUASARRAT", + "uuid": "4d58ad7d-b5ee-4efb-b6af-6c70aadb326a" + }, + { + "meta": { + "refs": [ + "http://surveillance.rsf.org/en/hacking-team/", + "https://wikileaks.org/hackingteam/emails/fileid/581640/267803", + "https://wikileaks.org/hackingteam/emails/emailid/31436" + ], + "synonyms": [ + "DaVinci", + "Morcut" + ] + }, + "description": "Hacking Team\u2019s \"DaVinci\" Remote Control System is able, the company says, to break encryption and allow law enforcement agencies to monitor encrypted files and emails (even ones encrypted with PGP), Skype and other Voice over IP or chat communication. It allows identification of the target\u2019s location and relationships. It can also remotely activate microphones and cameras on a computer and works worldwide. Hacking Team claims that its software is able to monitor hundreds of thousands of computers at once, all over the country. Trojans are available for Windows, Mac, Linux, iOS, Android, Symbian and Blackberry.", + "value": "da Vinci RCS", + "uuid": "37709067-e55e-473b-bb1c-312a27714d0c" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", + "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html" + ] + }, + "description": "LATENTBOT, a new, highly obfuscated BOT that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.", + "value": "LATENTBOT", + "uuid": "635d260f-39d9-4d3f-99ec-d2560cb5d694" + }, + { + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html" + ], + "synonyms": [ + "BlackOasis" + ] + }, + "description": "Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.", + "value": "FINSPY", + "uuid": "dd4358a4-7a43-42f7-8322-0f941ee61e57" + }, + { + "meta": { + "refs": [ + "https://www.f-secure.com/documents/996508/1030745/callisto-group" + ] + }, + "description": "HackingTeam Remote Control System (RCS) Galileo hacking platform", + "value": "RCS Galileo", + "uuid": "8a15832a-2cb1-47cc-8916-c16a507f7154" + }, + { + "description": "RedHat 7.0 - 7.1 Sendmail 8.11.x exploit", + "value": "EARLYSHOVEL", + "uuid": "80c7b1bf-c35f-4831-90ce-0699f6173f1b" + }, + { + "description": "root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86", + "value": "EBBISLAND (EBBSHAVE)", + "uuid": "370331a1-2178-4369-afb7-ce2da134a2ba" + }, + { + "description": "remote Samba 3.0.x Linux exploit", + "value": "ECHOWRECKER", + "uuid": "0381c40e-81c6-4a18-b5b6-48b7eef211c7" + }, + { + "description": "appears to be an MDaemon email server vulnerability", + "value": "EASYBEE", + "uuid": "7f96b58d-0f41-46cd-8141-c53d2a03fb81" + }, + { + "description": "an IBM Lotus Notes exploit that gets detected as Stuxnet", + "value": "EASYPI", + "uuid": "4f3df03f-336d-4a2b-a500-47e93a4259e6" + }, + { + "description": "an exploit for IBM Lotus Domino 6.5.4 & 7.0.2", + "value": "EWOKFRENZY", + "uuid": "c8fedb97-4f7e-48d1-8f2a-5e0562c1fba0" + }, + { + "description": "an IIS 6.0 exploit that creates a remote backdoor", + "value": "EXPLODINGCAN", + "uuid": "f843ef63-9e42-42d0-84a0-40d863985088" + }, + { + "description": "a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)", + "value": "ETERNALROMANCE", + "uuid": "b5c5174e-36a2-4b53-aed7-91b006514c8b" + }, + { + "description": "a SMB exploit (MS09-050)", + "value": "EDUCATEDSCHOLAR", + "uuid": "342a64db-f130-4ac2-96d2-a773fb2bf86d" + }, + { + "description": "a SMB exploit for Windows XP and Server 2003 (MS10-061)", + "value": "EMERALDTHREAD", + "uuid": "32cd0bfb-9269-43ba-9c43-9fc484a30ad0" + }, + { + "description": "a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2", + "value": "EMPHASISMINE", + "uuid": "48393a71-3814-48ab-805b-a7914e006814" + }, + { + "description": "Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users", + "value": "ENGLISHMANSDENTIST", + "uuid": "ce484c02-b538-4351-ba7e-48c7d05c013f" + }, + { + "description": "0-day exploit (RCE) for Avaya Call Server", + "value": "EPICHERO", + "uuid": "7120af74-6589-44a4-aee6-0f8fd3808d54" + }, + { + "description": "SMBv1 exploit targeting Windows XP and Server 2003", + "value": "ERRATICGOPHER", + "uuid": "a82fa4a0-1904-4c03-9fc4-7cbcd255ce58" + }, + { + "description": "a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)", + "value": "ETERNALSYNERGY", + "uuid": "b4547fe9-25c9-40b6-9256-07f1ed7548c4" + }, + { + "description": "SMBv2 exploit for Windows 7 SP1 (MS17-010)", + "value": "ETERNALBLUE", + "uuid": "e5b14d3e-ae59-495e-bdcb-f9d876db3f87" + }, + { + "description": "a SMBv1 exploit", + "value": "ETERNALCHAMPION", + "uuid": "4aee9bfe-f01d-44ea-9edd-91ecad88413a" + }, + { + "description": "Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers", + "value": "ESKIMOROLL", + "uuid": "4a8db2c4-04fb-49e0-b688-1bc5d8354072" + }, + { + "description": "RDP exploit and backdoor for Windows Server 2003", + "value": "ESTEEMAUDIT", + "uuid": "5d9131be-c3bb-44ac-9c4d-19fcc97d2efd" + }, + { + "description": "RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)", + "value": "ECLIPSEDWING", + "uuid": "406ad0a9-b1fc-4edc-aa20-692a69f349a6" + }, + { + "description": "exploit for IMail 8.10 to 8.22", + "value": "ETRE", + "uuid": "3aaef939-132c-4cfb-9243-20918373ccfe" + }, + { + "description": "an exploit framework, similar to MetaSploit", + "value": "FUZZBUNCH", + "uuid": "3de1aa96-24cd-4790-babc-df0b2d657bdb" + }, + { + "description": "implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors", + "value": "ODDJOB", + "uuid": "d20f9a41-db27-4d53-995e-547f86ff3d1e" + }, + { + "description": "utility which Bypasses authentication for Oracle servers", + "value": "PASSFREELY", + "uuid": "b68ac0c5-124a-4f22-9c99-0c1cd42bdee3" + }, + { + "description": "check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE", + "value": "SMBTOUCH", + "uuid": "48cf4f29-41a2-4244-bb25-377362eaa3ae" + }, + { + "description": "Check if the target is running some RPC", + "value": "ERRATICGOPHERTOUCH", + "uuid": "a122b8e0-1249-4c77-8ef7-6b9caf48ab4f" + }, + { + "description": "check if the running IIS version is vulnerable", + "value": "IISTOUCH", + "uuid": "7b4bf6dd-d191-429b-a5ee-9305093aa1ec" + }, + { + "description": "get info about windows via RPC", + "value": "RPCOUTCH", + "uuid": "2c9e90ea-7421-4101-97a6-ebe095bd29ad" + }, + { + "description": "used to connect to machines exploited by ETERNALCHAMPIONS", + "value": "DOPU", + "uuid": "f1657aac-a6be-4383-8cd6-06b833acf07c" + }, + { + "description": "covert surveillance tools", + "value": "FlexSpy", + "uuid": "71d6e949-69df-4d64-9637-136780226f49" + }, + { + "value": "feodo", + "description": "Unfortunately, it is time to meet 'Feodo'. Since august of this year when FireEye's MPS devices detected this malware in the field, we have been monitoring this banking trojan very closely. In many ways, this malware looks similar to other famous banking trojans like Zbot and SpyEye. Although my analysis says that this malware is not a toolkit and is in the hands of a single criminal group.", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2010/10/feodosoff-a-new-botnet-on-the-rise.html" + ] + }, + "uuid": "372cdc12-d909-463c-877a-175f97f7abb5" + }, + { + "value": "Cardinal RAT", + "description": "Palo Alto Networks has discovered a previously unknown remote access Trojan (RAT) that has been active for over two years. It has a very low volume in this two-year period, totaling roughly 27 total samples. The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them.", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" + ] + }, + "uuid": "1d9fbf33-faea-40c1-b543-c7b39561f0ff" + }, + { + "description": "The REDLEAVES implant consists of three parts: an executable, a loader, and the implant shellcode. The REDLEAVES implant is a remote administration Trojan (RAT) that is built in Visual C++ and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2.", + "value": "REDLEAVES", + "meta": { + "refs": [ + "https://www.us-cert.gov/ncas/alerts/TA17-117A" + ] + }, + "uuid": "179f7228-6fcf-4664-a084-57bd296d0cde" + }, + { + "description": "Kazuar is a fully featured backdoor written using the .NET Framework and obfuscated using the open source packer called ConfuserEx. Unit 42 researchers have uncovered a backdoor Trojan used in an espionage campaign. The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan\u2019s capabilities. During our analysis of this malware we uncovered interesting code paths and other artifacts that may indicate a Mac or Unix variant of this same tool also exists. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver. We suspect the Kazuar tool may be linked to the Turla threat actor group (also known as Uroburos and Snake), who have been reported to have compromised embassies, defense contractors, educational institutions, and research organizations across the globe. A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005. If the hypothesis is correct and the Turla threat group is using Kazuar, we believe they may be using it as a replacement for Carbon and its derivatives. Of the myriad of tools observed in use by Turla Carbon and its variants were typically deployed as a second stage backdoor within targeted environments and we believe Kazuar may now hold a similar role for Turla operations.", + "value": "Kazuar", + "meta": { + "refs": [ + "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" + ] + }, + "uuid": "a5399473-859b-4c64-999b-a3b4070cd513" + }, + { + "description": "Many links indicate, that this bot is another product of the people previously involved in Dyreza. It seems to be rewritten from scratch \u2013 however, it contains many similar features and solutions to those we encountered analyzing Dyreza (read more).", + "value": "Trick Bot", + "meta": { + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", + "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", + "https://securityintelligence.com/trickbot-is-hand-picking-private-banks-for-targets-with-redirection-attacks-in-tow/" + ], + "synonyms": [ + "TrickBot", + "TrickLoader" + ] + }, + "uuid": "a7dbd72f-8d53-48c6-a9db-d16e7648b2d4" + }, + { + "description": "Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform named Hackshit, that records the credentials of the phished bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with \u201c.moe\u201d top level domain (TLD) to evade traditional scanners. \u201c.moe\u201d TLD is intended for the purpose of \u2018The marketing of products or services deemed\u2019. The victim\u2019s credentials are sent to the Hackshit PhaaS platform via websockets. The Netskope Active Platform can proactively protect customers by creating custom applications and a policy to block all the activities related to Hackshit PhaaS.", + "value": "Hackshit", + "meta": { + "refs": [ + "https://resources.netskope.com/h/i/352356475-phishing-as-a-service-phishing-revamped" + ] + }, + "uuid": "02d2ed4a-ce3f-430b-a8da-5b9750c148ca" + }, + { + "value": "Moneygram Adwind", + "meta": { + "refs": [ + "https://myonlinesecurity.co.uk/new-guidelines-from-moneygram-malspam-delivers-a-brand-new-java-adwind-version/" + ] + }, + "uuid": "6c6e717d-03c5-496d-83e9-13bdaa408348" + }, + { + "description": " Banload has been around since the last decade. This malware generally arrives on a victim\u2019s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or a drive-by download. When executed, Banload downloads other malware, often banking Trojans, on the victim\u2019s system to carry out further infections.", + "value": "Banload", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2016/03/banload-malware-affecting-brazil-exhibits-unusually-complex-infection-process/", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/banload", + "http://blog.trendmicro.com/trendlabs-security-intelligence/banload-limits-targets-via-security-plugin/", + "https://securingtomorrow.mcafee.com/mcafee-labs/banload-trojan-targets-brazilians-with-malware-downloads/" + ] + }, + "uuid": "d279bc1c-baa6-49aa-ab1b-7d012ae8db4e" + }, + { + "description": "This small application is used to download other malware. What makes the bot interesting are various tricks that it uses for deception and self protection.", + "value": "Smoke Loader", + "meta": { + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" + ], + "synonyms": [ + "Dofoil" + ] + }, + "uuid": "81f41bae-2ba9-4cec-9613-776be71645ca" + }, + { + "description": "The analyzed sample has a recent compilation date (2017-06-24) and is available on VirusTotal. It starts out by resolving several Windows functions using API hashing (CRC32 is used as the hashing function).", + "value": "LockPoS", + "meta": { + "refs": [ + "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/" + ] + }, + "uuid": "c740c46b-1d95-42b5-ac3d-2bbab071b859" + }, + { + "description": "Win.Worm.Fadok drops several files. %AppData%\\RAC\\mls.exe or %AppData%\\RAC\\svcsc.exe are instances of the malware which are auto-started when Windows starts. Further, the worm drops and opens a Word document. It connects to the domain wxanalytics[.]ru.", + "value": "Fadok", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm%3AWin32%2FFadok.A", + "http://blog.talosintelligence.com/2017/06/threat-roundup-0602-0609.html" + ], + "synonyms": [ + "Win32/Fadok" + ] + }, + "uuid": "6243b2d1-381b-4aa4-a59f-839afcdf03f2" + }, + { + "description": "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.", + "value": "Loki Bot", + "meta": { + "refs": [ + "https://phishme.com/loki-bot-malware/" + ] + }, + "uuid": "9085faf1-e5ec-4e51-83eb-92620afda7be" + }, + { + "description": "Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. \nThroughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution:", + "value": "KONNI", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" + ] + }, + "uuid": "24ee55e3-697f-482f-8fa8-d05999df40cd" + }, + { + "description": "Recently, Palo Alto Networks researchers discovered an advanced Android malware we\u2019ve named \u201cSpyDealer\u201d which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.", + "value": "SpyDealer", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" + ] + }, + "uuid": "f86b4977-228d-4b31-854d-8bdc92db4653" + }, + { + "value": "CowerSnail", + "description": "CowerSnail was compiled using Qt and linked with various libraries. This framework provides benefits such as cross-platform capability and transferability of the source code between different operating systems. ", + "meta": { + "refs": [ + "https://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/" + ] + }, + "uuid": "6da16d56-eaf9-475d-a7e0-4a11e0200c14" + }, + { + "description": "In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng \u2013 Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.", + "value": "Svpeng", + "meta": { + "refs": [ + "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/" + ], + "synonyms": [ + "trojan-banker.androidos.svpeng.ae" + ] + }, + "uuid": "a33df440-f112-4a5e-a290-3c65dae6091d" + }, + { + "description": "While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization. The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell. It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server. Due to these two layers, we use the name TwoFace to track this webshell.\nDuring our analysis, we extracted the commands executed by the TwoFace webshell from the server logs on the compromised server. Our analysis shows that the commands issued by the threat actor date back to June 2016; this suggests that the actor had access to this shell for almost an entire year. The commands issued show the actor was interested in gathering credentials from the compromised server using the Mimikatz tool. We also saw the attacker using the TwoFace webshell to move laterally through the network by copying itself and other webshells to other servers.", + "value": "TwoFace", + "meta": { + "type": [ + "webshell" + ], + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" + ] + }, + "uuid": "9334c430-0d83-4893-8982-66a1dc1a2b11" + }, + { + "description": "Like TwoFace, the IntrudingDivisor webshell requires the threat actor to authenticate before issuing commands. To authenticate, the actor must provide two pieces of information, first an integer that is divisible by 5473 and a string whose MD5 hash is \u201c9A26A0E7B88940DAA84FC4D5E6C61AD0\u201d. Upon successful authentication, the webshell has a command handler that uses integers within the request to determine the command to execute - To complete", + "value": "IntrudingDivisor", + "meta": { + "type": [ + "webshell" + ], + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" + ] + }, + "uuid": "bb2bd10b-b36d-4390-bf60-bd8d2d7cedec" + }, + { + "description": "Attacks that use completely fileless malware are a rare occurrence, so we thought it important to discuss a new trojan known as JS_POWMET (Detected by Trend Micro as JS_POWMET.DE), which arrives via an autostart registry procedure. By utilizing a completely fileless infection chain, the malware will be more difficult to analyze using a sandbox, making it more difficult for anti-malware engineers to examine.", + "value": "JS_POWMET", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" + ] + }, + "uuid": "c602edae-b186-4c60-a4f6-8785d6aa0eb0" + }, + { + "value": "EngineBox Malware", + "description": "The main malware capabilities include a privilege escalation attempt using MS16\u2013032 exploitation; a HTTP Proxy to intercept banking transactions; a backdoor to make it possible for the attacker to issue arbitrary remote commands and a C&C through a IRC channel. As it's being identified as a Generic Trojan by most of VirusTotal (VT) engines, let s name it EngineBox\u2014 the core malware class I saw after reverse engineering it.", + "meta": { + "refs": [ + "https://isc.sans.edu/diary/22736" + ] + }, + "uuid": "17839df6-aa15-4269-b4b1-9e7ae8cfec1e" + }, + { + "value": "Joao", + "description": "Spread via hacked Aeria games offered on unofficial websites, the modular malware can download and install virtually any other malicious code on the victim\u2019s computer. To spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games (MMORPGs) originally published by Aeria Games. At the time of writing this article, the Joao downloader was being distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" + ] + }, + "uuid": "673d05fa-4066-442c-bdb6-0c0a2da5ae62" + }, + { + "value": "Fireball", + "description": "Upon execution, Fireball installs a browser hijacker as well as any number of adware programs. Several different sources have linked different indicators of compromise (IOCs) and varied payloads, but a few details remain the same.", + "meta": { + "refs": [ + "https://www.cylance.com/en_us/blog/threat-spotlight-is-fireball-adware-or-malware.html" + ] + }, + "uuid": "968df869-7f60-4420-989f-23dfdbd58668" + }, + { + "value": "ShadowPad", + "description": "ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to \u201cvalidation\u201d command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.", + "meta": { + "refs": [ + "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf" + ] + }, + "uuid": "2448a4e1-46e3-4c42-9fd1-f51f8ede58c1" + }, + { + "value": "IoT_reaper", + "description": "IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.", + "meta": { + "refs": [ + "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/" + ] + }, + "uuid": "6052becf-3060-444c-8ed7-d4a3901ae7dd" + }, + { + "value": "FormBook", + "description": "FormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016.", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", + "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/" + ] + }, + "uuid": "c7e7063b-b2a2-4046-8a19-94dea018eaa0" + }, + { + "value": "Dimnie", + "description": "Dimnie, the commonly agreed upon name for the binary dropped by the PowerShell script above, has been around for several years. Palo Alto Networks has observed samples dating back to early 2014 with identical command and control mechanisms. The malware family serves as a downloader and has a modular design encompassing various information stealing functionalities. Each module is injected into the memory of core Windows processes, further complicating analysis. During its lifespan, it appears to have undergone few changes and its stealthy command and control methods combined with a previously Russian focused target base has allowed it to fly under the radar up until this most recent campaign.", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" + ] + }, + "uuid": "9fed4326-a7ad-4c58-ab87-90ac3957d82f" + }, + { + "value": "ALMA Communicator", + "description": "The ALMA Communicator Trojan is a backdoor Trojan that uses DNS tunneling exclusively to receive commands from the adversary and to exfiltrate data. This Trojan specifically reads in a configuration from the cfg file that was initially created by the Clayslide delivery document. ALMA does not have an internal configuration, so the Trojan does not function without the cfg file created by the delivery document.", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" + ] + }, + "uuid": "45de0d28-5a20-4190-ae21-68067e36e316" + }, + { + "value": "Silence", + "description": "In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees\u2019 PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready. \nWe saw that technique before in Carbanak, and other similar cases worldwide. The infection vector is a spear-phishing email with a malicious attachment. An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims.", + "meta": { + "refs": [ + "https://securelist.com/the-silence/83009/" + ] + }, + "uuid": "304fd753-c917-4008-8f85-81390c37a070" + }, + { + "value": "Volgmer", + "description": "Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer", + "meta": { + "refs": [ + "https://www.us-cert.gov/ncas/alerts/TA17-318B" + ] + }, + "uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931" + }, + { + "value": "Nymaim", + "description": "Nymaim is a 2-year-old strain of malware most closely associated with ransomware. We have seen recent attacks spreading it using an established email marketing service provider to avoid blacklists and detection tools. But instead of ransomware, the malware is now being used to distribute banking Trojans", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0" + ] + }, + "uuid": "d36f4834-b958-4f32-aff0-5263e0034408" + }, + { + "value": "GootKit", + "description": "As was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain of downloaders. The main purpose of the bot also remained the same \u2013 to steal banking data. The new Gootkit version, detected in September, primarily targets clients of European banks, including those in Germany, France, Italy, the Netherlands, Poland, etc.", + "meta": { + "refs": [ + "https://securelist.com/inside-the-gootkit-cc-server/76433/", + "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", + "https://securityintelligence.com/gootkit-launches-redirection-attacks-in-the-uk/", + "https://www.symantec.com/security_response/writeup.jsp?docid=2010-051118-0604-99" + ], + "synonyms": [ + "Gootkit" + ] + }, + "uuid": "07ffcf9f-b9c0-4b22-af4b-78527427e6f5" + }, + { + "value": "Agent Tesla", + "description": "Agent Tesla is modern powerful keystroke logger. It provides monitoring your personel computer via keyboard and screenshot. Keyboard, screenshot and registered passwords are sent in log. You can receive your logs via e-mail, ftp or php(web panel). ", + "meta": { + "refs": [ + "https://www.agenttesla.com/" + ] + }, + "uuid": "f8cd62cb-b9d3-4352-8f46-0961cfde104c" + }, + { + "value": "Ordinypt", + "description": "A new ransomware strain called Ordinypt is currently targeting victims in Germany, but instead of encrypting users' documents, the ransomware rewrites files with random data. Ordinypt is actually a wiper and not ransomware because it does not bother encrypting anything, but just replaces files with random data.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/" + ], + "synonyms": [ + "HSDFSDCrypt" + ] + }, + "uuid": "1d46f816-d159-4457-b98e-c34307d90655" + }, + { + "value": "StrongPity2", + "description": "Detected by ESET as Win32/StrongPity2, this spyware notably resembles one that was attributed to the group called StrongPity.", + "meta": { + "synonyms": [ + "Win32/StrongPity2" + ], + "refs": [ + "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/" + ] + }, + "uuid": "d422e7c9-a2ac-45b2-9804-61d16a6e30e7" + }, + { + "value": "wp-vcd", + "description": "WordPress site owners should be on the lookout for a malware strain tracked as wp-vcd that hides in legitimate WordPress files and that is used to add a secret admin user and grant attackers control over infected sites.\nThe malware was first spotted online over the summer by Italian security researcher Manuel D'Orso.\nThe initial version of this threat was loaded via an include call for the wp-vcd.php file \u2014hence the malware's name\u2014 and injected malicious code into WordPress core files such as functions.php and class.wp.php. This was not a massive campaign, but attacks continued throughout the recent months.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-campaign-is-back/", + "https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-spreads-via-nulled-wordpress-themes/" + ] + }, + "uuid": "99de56dc-92c5-4540-91bc-a6cd1e3a3c7f" + }, + { + "value": "MoneyTaker 5.0", + "description": "malicious program for auto replacement of payment data in AWS CBR", + "meta": { + "refs": [ + "https://www.group-ib.com/blog/moneytaker" + ] + }, + "uuid": "0acb6f04-7e51-44bb-843c-4bb55a3647d5" + }, + { + "value": "Quant Loader", + "description": "Described as a \"professional exe loader / dll dropper\" Quant Loader is in fact a very basic trojan downloader. It began being advertised on September 1, 2016 on various Russian underground forums.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/", + "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground" + ] + }, + "uuid": "2d1aadfb-03c1-4580-b6ac-f12c6941067d" + }, + { + "value": "SSHDoor", + "description": "The Secure Shell Protocol (SSH) is a very popular protocol used for secure data communication. It is widely used in the Unix world to manage remote servers, transfer files, etc. The modified SSH daemon described here, Linux/SSHDoor.A, is designed to steal usernames and passwords and allows remote access to the server via either an hardcoded password or SSH key.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/" + ] + }, + "uuid": "f258f96c-8281-4b24-8aa7-4e23d1a5540e" + }, + { + "value": "TRISIS", + "description": "(Dragos Inc.) The team identifies this malware as TRISIS because it targets Schneider Electric\u2019s Triconex safety instrumented system (SIS) enabling the replacement of logic in final control elements. TRISIS is highly targeted and likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products. (FireEye Inc.) This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack. TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. ", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", + "https://dragos.com/blog/trisis/TRISIS-01.pdf" + ], + "synonyms": [ + "TRITON" + ] + }, + "uuid": "8a45d1a5-8157-4303-a47a-352282065059" + }, + { + "value": "OSX.Pirrit", + "description": "macOS adware strain ", + "meta": { + "refs": [ + "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "https://www2.cybereason.com/research-osx-pirrit-mac-adware", + "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf" + ], + "synonyms": [ + "OSX/Pirrit" + ] + }, + "uuid": "e2b7ddc2-2fce-4ef9-9054-609e74a8775e" + }, + { + "value": "GratefulPOS", + "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.", + "meta": { + "refs": [ + "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" + ] + }, + "uuid": "4cfe3f22-96b8-4d3d-a6cc-85835d9471e2" + }, + { + "value": "PRILEX", + "description": "Prilex malware steals the information of the infected ATM\u2019s users. In this case, it was a Brazilian bank, but consider the implications of such an attack in your region, whether you\u2019re a customer or the bank.", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" + ] + }, + "uuid": "523e8772-0610-424c-bcfb-9123bcb8328f" + }, + { + "value": "CUTLET MAKER", + "description": "Cutlet Maker is an ATM malware designed to empty the machine of all its banknotes. Interestingly, while its authors have been advertising its sale, their competitors have already cracked the program, allowing anybody to use it for free.", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" + ] + }, + "uuid": "c03e7054-6013-4f69-994d-7cdaa41588ed" + }, + { + "value": "Satori", + "description": "According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/", + "https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant" + ], + "synonyms": [ + "Okiru" + ] + }, + "uuid": "1ad4697b-3388-48ed-8621-85abebf5dbbf" + }, + { + "value": "PowerSpritz", + "description": "PowerSpritz is a Windows executable that hides both its legitimate payload and malicious PowerShell command using a non-standard implementation of the already rarely used Spritz encryption algorithm (see the Attribution section for additional analysis of the Spritz implementation). This malicious downloader has been observed being delivered via spearphishing attacks using the TinyCC link shortener service to redirect to likely attacker-controlled servers hosting the malicious PowerSpritz payload.", + "meta": { + "refs": [ + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" + ] + }, + "uuid": "5629bc84-58eb-42d9-adc6-cd0eeb08ccaf" + }, + { + "value": "PowerRatankba", + "description": "PowerRatankba is used for the same purpose as Ratankba: as a first stage reconnaissance tool and for the deployment of further stage implants on targets that are deemed interesting by the actor. Similar to its predecessor, PowerRatankba utilizes HTTP for its C&C communication.", + "meta": { + "refs": [ + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" + ] + }, + "uuid": "1f1be19e-d1b5-408b-90a0-03ad27cc8924" + }, + { + "value": "Ratankba", + "description": "In one instance we observed, one of the initial malware delivered to the victim, RATANKBA, connects to a legitimate but compromised website from which a hack tool (nbt_scan.exe) is also downloaded. The domain also serves as one of the campaign\u2019s platform for C&C communication.\nThe threat actor uses RATANKBA to survey the lay of the land as it looks into various aspects of the host machine where it has been initially downloaded\u2014the machine that has been victim of the watering hole attack. Information such as the running tasks, domain, shares, user information, if the host has default internet connectivity, and so forth.", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/" + ] + }, + "uuid": "64b3c66b-fc70-4b5a-83a9-866cde2ccb0b" + }, + { + "value": "USBStealer", + "description": "USBStealer serves as a network tool that extracts sensitive information from air-gapped networks. We have not seen this component since mid 2015.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" + ] + }, + "uuid": "44909efb-7cd3-42e3-b225-9f3e96b5f362" + }, + { + "value": "Downdelph", + "description": "Downdelph is a lightweight downloader developed in the Delphi programming language. As we already mentioned in our white paper, its period of activity was from November 2013 to September 2015 and there have been no new variants seen since.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" + ] + }, + "uuid": "837a295c-15ff-41c0-9b7e-5f2fb502b00a" + }, + { + "value": "CoinMiner", + "description": "Monero-mining malware", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" + ] + }, + "uuid": "89bd2020-2594-45c4-8957-522c0ac41370" + }, + { + "value": "FruitFly", + "description": "A fully-featured backdoor, designed to perversely spy on Mac users", + "meta": { + "refs": [ + "https://objective-see.com/blog/blog_0x25.html#FruitFly" + ] + }, + "uuid": "6a6525b9-4656-4973-ab45-588592395d0c" + }, + { + "value": "MacDownloader", + "description": "Iranian macOS exfiltration agent, targeting the 'defense industrial base' and human rights advocates.", + "meta": { + "refs": [ + "https://objective-see.com/blog/blog_0x25.html#MacDownloader" + ], + "synonyms": [ + "iKitten" + ] + }, + "uuid": "14f08f6f-7f58-48a8-8469-472244ffb571" + }, + { + "value": "Empyre", + "description": "The open-source macOS backdoor, 'Empye', maliciously packaged into a macro'd Word document", + "meta": { + "refs": [ + "https://objective-see.com/blog/blog_0x25.html#Empyre" + ], + "synonyms": [ + "Empye" + ] + }, + "uuid": "cf55bbb8-37eb-4cc6-ac14-7b42b950c687" + }, + { + "value": "Proton", + "description": "A fully-featured macOS backdoor, designed to collect and exfiltrate sensitive user data such as 1Password files, browser login data, and keychains.", + "meta": { + "refs": [ + "https://objective-see.com/blog/blog_0x25.html#Proton" + ] + }, + "uuid": "a495d254-7092-4a63-9872-3a82c13fe2dd" + }, + { + "value": "Mughthesec", + "description": "Adware which hijacks a macOS user's homepage to redirect search queries.", + "meta": { + "refs": [ + "https://objective-see.com/blog/blog_0x25.html" + ] + }, + "uuid": "4e2f0af2-6d2d-4a49-adc9-fae3745fcb72" + }, + { + "value": "Pwnet", + "description": "A macOS crypto-currency miner, distributed via a trojaned 'CS-GO' hack.", + "meta": { + "refs": [ + "https://objective-see.com/blog/blog_0x25.html" + ] + }, + "uuid": "29e52693-b325-4c14-93de-8f2ff9dca8bf" + }, + { + "value": "CpuMeaner", + "description": "A macOS crypto-currency mining trojan.", + "meta": { + "refs": [ + "https://objective-see.com/blog/blog_0x25.html" + ] + }, + "uuid": "5bc62523-dc80-46b4-b5cb-9caf44c11552" + }, + { + "value": "Travle", + "description": "The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: \u201cTravle Path Failed!\u201d. This typo was replaced with correct word \u201cTravel\u201d in newer releases. We believe that Travle could be a successor to the NetTraveler family.", + "meta": { + "refs": [ + "https://securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455/" + ], + "synonyms": [ + "PYLOT" + ] + }, + "uuid": "9d689318-2bc1-4bfb-92ee-a81fea35434f" + }, + { + "value": "Digmine", + "description": "Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user\u2019s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account\u2019s friends. The abuse of Facebook is limited to propagation for now, but it wouldn\u2019t be implausible for attackers to hijack the Facebook account itself down the line. This functionality\u2019s code is pushed from the command-and-control (C&C) server, which means it can be updated.", + "meta": { + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/" + ] + }, + "uuid": "d248a27c-d036-4032-bc70-803a1b0c8148" + } + ] +} \ No newline at end of file diff --git a/tools/add_missing_uuid.py b/tools/add_missing_uuid.py new file mode 100644 index 0000000..a556216 --- /dev/null +++ b/tools/add_missing_uuid.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +import json +import argparse +import uuid + +parser = argparse.ArgumentParser(description='Add missing uuids in clusters') +parser.add_argument("-f", "--filename", required=True, help="nameof the cluster (without .json)") +args = parser.parse_args() + +with open(args.filename+'.json') as json_file: + data = json.load(json_file) + json_file.close() + + for value in data['values']: + if 'uuid' not in value: + value['uuid'] = str(uuid.uuid4()) + +with open(args.filename+'.json', 'w') as json_file: + json.dump(data, json_file, indent=4)